Author Archives: privacynewshighlights

16-31 July 2013


US – Advocates Support Banning Biometrics in Schools

As more schools explore and adopt security systems for identification purposes, such a move “recently caused a stir in Florida when Polk County Schools decided to incorporate biometric data systems.” The use of technology such as iris scans could soon be banned in the state’s schools, the report states, noting the school district launched a pilot program “allowing a security company to install iris scanners on school buses” without notifying parents in advance. The security company has said it deleted all information gathered, but concerns remain and the ACLU of Florida says a bill is in the works to ban such systems, the report states. [WFSU]


US – Privacy Predicted to Be Next Competitive Differentiator

A Forrester survey that finds 62% of consumers say they would be “not at all likely” to do business again with a company known to have shared their PII with a data broker. Further, 37% report that they’ve abandoned a transaction online due to something they didn’t like in the terms of service, including the privacy policy. Finally, the study commissioned by analytics firm Neustar finds more than a quarter of respondents now using ad-blocking software. This leads Forrester to conclude that privacy is “the new green movement.”[GigaOm] See also: [New trends in data-driven remote healthcare in the U.S.]

WW – Consumers Changing Their Browsing Habits

New reports on the changing browsing habits of consumers in light of the recent NSA disclosures. Meanwhile, a new browser add-on has been introduced on Monday that aims to shield consumers from data mining by preventing users from disclosing contact information, CNET News reports . MaskMe, created by Abine, creates and manages “dummy” accounts for a user’s e-mail, phone number, credit card and website logins. According to the company, consumers tend to lose out in the “data-for-service exchange,” while companies win. Abine’s Sarah Downey said, “The real lesson is, ‘Stop: Don’t give out your personal information.’“ [The Associated Press]

US – Companies Shifting to Meet Consumer Expectations

Products are changing based on consumer expectations of privacy. Pinterest is now offering users a Do-Not-Track option. Google Now is a digital assistant capable of alerting users if a flight is delayed or a particular route is backed up with traffic, but Google reserves the service’s full functionality for those users who don’t mind their locations being tracked, the report states. And Facebook’s latest ad offerings target users based only on age and gender rather than more granular data. [Forbes]


US – Ballot Initiative Could Establish “Very Different Set of Privacy Rules”

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes. [Technology’s Legal Edge]


US – Microsoft Denies Giving NSA Unfettered Access to eMail

Microsoft says it is within its First Amendment rights to disclose national security requests for user data. Microsoft also says that it does not provide the NSA with encryption keys to access email, despite reports that they were helping the intelligence agency bypass security measures to access web chats through Outlook and putting backdoor access in its products to aid federal investigations. [eWeek] [The Register] [ComputerWorld] [ZDNet]

Electronic Records

US – New “Hub” Database Raises Privacy Concerns

As part of the massive overhaul of America’s healthcare system, databases from seven U.S. agencies—from the Internal Revenue Service to the Peace Corps—will be tied together in one $267 million computer system called the Hub to determine which U.S. citizens can purchase medical coverage. The size and breadth of the system is raising red flags from some who are concerned about privacy and security risks, as the system will include data such as identity, citizenship, income and family size. One lawmaker queried, “It’s information on 300 million Americans, all compiled in one place—what could go wrong?” Others note, however, that the system can only access data on potential enrollees and there’s not a central storage center for the data. [Source]


WW – Facebook Browsing Now “Secure” by Default

Earlier this week, Facebook made “secure” browsing a default setting. The option to use TLS (Transport Layer Security) encryption has been an available for two years. “Secure” browsing means that data sent to Facebook servers by users will be encrypted. Among the reasons it took this long for Facebook to make “secure” browsing the default setting is that the company had to wait for third-party applications to upgrade their platforms to avoid compatibility issues. [ComputerWorld]

EU Developments

EU – Hawkes Says Google, Facebook Safe from Audit

While Irish DPA Billy Hawkes announced last week he was beginning a formal audit of LinkedIn, the Office of the Data Protection Commissioner (ODPC) has said in e-mail correspondence with advocate group it will not be investigating Facebook and Google in relation to the NSA revelations. “We do not consider that there are grounds for an investigation under the Irish Data Protection Acts given that ‘Safe Harbor’ requirements have been met,” the ODPC wrote. However, that Safe Harbor agreement is now consistently under fire. Earlier this week, EU Justice Commissioner Reding said she would be reviewing the agreement, and now German privacy officials are calling on Chancellor Merkel to push for suspension of the Safe Harbor agreement. [The Independent]

EU – Commissioner Begins Inquiry Into LinkedIn

Irish Data Protection Commissioner Billy Hawkes has launched an audit of social networking firm LinkedIn, adding it could have ramifications worldwide. Hawkes has confirmed his team has begun the audit as part of a process that will look into all social media firms based in Ireland. LinkedIn suffered a data breach earlier this year. [The Independent]

EU – Safe Harbour Agreement “Under Review”, Says European Commission

Vice President of the European Commission Vivane Reding said the commission will present a “solid assessment” of the current Safe Harbor agreement between the EU and U.S. by the end of the year. The European Parliament has called on the commission to conduct such a review following revelations that Safe Harbor parties were involved in the U.S. National Security Agency’s surveillance program. Reding has said, “The Safe Harbor agreement may not be so safe after all.” []

EU – European Parliament Wants NSA Chief to Testify

The European Parliament is set to initiate an investigation into the NSA surveillance program disclosures and is amassing “an interesting list of witnesses” to testify about the issue, including U.S. National Security Agency Chief Gen. Keith Alexander, whistleblower Edward Snowden and The Guardian’s Glenn Greenwald. European Parliament plans to hold the series of hearings about the programs in September. A Deutsche Welle report asks if European Union interior ministers are partly responsible for collaborating with U.S. security agencies. European Home Affairs Commissioner Cecilia Malmström said that the EU is not solely responsible for data protection as security agency activities generally come under the jurisdiction of member states. [Slate]

EU – Germany Wants UN Privacy Charter

In response to the NSA disclosures, senior German government officials are lobbying for expansion of the 1966 UN human rights treaty to cover modern forms of communication such as e-mail and social networks. German foreign and justice ministers sent a letter—which was released more broadly on Wednesday—to their European Union counterparts last week: “We want to use the current debate to launch an initiative that would outline the inalienable privacy rights under current conditions.” The letter also suggests convening all 167 parties to the International Covenant on Civil and Political Rights. German data protection authorities have also called for suspension of a key data-sharing agreement between the EU and U.S. [The Associated Press]


UK – Critics Say UK Prime Minister’s Web Filtering Plan is Misguided

UK Prime Minister David Cameron’s plan to make Internet service providers (ISPs) and search engines filter pornography is seen by some as misguided. Open Rights Group executive director Jim Killock notes that “banning search terms seems unlikely to combat the serious activity, which is independent of search engines.” And technology journalist Simon Bisson writes, “What the UK government should be concentrating on is an effort to break the financial ties that hold the darknets together. Finding who holds the purse strings is a complex task, but it’s a technique that has been proven to work time and time again. And perhaps it should also be noted that it’s an approach that’s well within the capabilities of the powerful surveillance tools that government security agencies have put in place … to combat terrorism.” [ZDNet] [BBC] [CNET] [ComputerWorld] [Draft of Cameron’s Speech]


US – 160 Million Credit Cards Stolen; Indictment Reveals Wall Street Exposure

Five people have been indicted in connection with a series of major cyberattacks that compromised more than 160 million credit card accounts over a seven-year period. A separate indictment of one of the men exposed a two-year-long penetration of computers at the NASDAQ and shined a light on the vulnerability of global financial systems. The five men named in the indictment were allegedly involved with breaches for which Albert Gonzalez is currently serving a 20-year prison sentence. Between 2005 and 2012, the group allegedly breached systems at Heartland Payment Systems, Hannaford Brothers, and Dexia Bank Belgium, and a number of other organizations. [NYTimes] [WIRED] [ComputerWorld] [KrebonSecurity] [BBC] [CNET] []

US – Bank Glitch Exposes Data on 150,000 Customers

“In a case that could serve as a warning to other banks that contribute customer data to public storehouses,” Citigroup said it improperly protected consumer data—including Social Security numbers, birth dates and other sensitive information—when it shared nearly 150,000 records with the government’s legal document system, otherwise known as the Public Access to Court Electronic Records (PACER). The bank reached a settlement with a division of the Justice Department to redact the customer data at its own expense, notify those affected and offer one year of free credit monitoring. In a statement, the bank said, “The redaction issues primarily resulted from a limitation in the technology Citi had used to redact personally identifiable information in the filings.” [American Banker]


US – Hulu: “Anonymous” Data Not Covered By VPPA

In new court papers filed last week, Hulu argues that sharing “anonymous” data about its users’ viewing habits with third parties is not a violation of the Video Privacy Protection Act (VPPA). Filed with U.S. District Court Judge Laurel Beeler in San Fransisco, the company wrote, “Hulu cannot be liable for disclosing anonymous user ID to comScore or Nielsen or to any other service provider.” Hulu acknowledges it shares users’ viewing histories, but removes names and any other identifying information. Instead, it assigns each user with an anonymous user ID prior to transmitting the data. In the class-action lawsuit filed against the company, users allege that third parties with whom the data is shared can re-identify the information. Hulu said it stopped the practice allowing such re-identification two years ago. [MediaPost News]

Health / Medical

US – Woman Awarded $1.44M; Company to Appeal

A Marion Superior Court jury has awarded a plaintiff “$1.44 million after finding Walgreens and a pharmacist violated her privacy when the pharmacist looked up and shared the woman’s prescription history.” The lawsuit alleged, “As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories.” In a statement, Walgreens has said it will appeal, stating it is “a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.” [Indianapolis Star]

US – VA Seeks Breach Lawsuit Dismissal

The VA has motioned to dismiss a lawsuit filed by patients affected by a breach earlier this year at William Jennings Bryan Dorn VA medical center. The VA filed the motion on grounds that plaintiffs have failed to prove the breached records were improperly disclosed. More than 7,400 patient records were on a laptop that was stolen last April. The government is now arguing that with lack of evidence that an unauthorized person viewed the records, the breach should not be considered improper disclosure under the Privacy Act, the report states. [HealthITSecurity]

WW – Google to Make $8.5 Million Donation in Settlement

Google will make an $8.5 million donation to nonprofit organizations in order to settle a class-action lawsuit alleging it leaked the names of search users. Google will also revise the “frequently asked questions” section of its privacy policy, the report states. Recipients of the settlement include the World Privacy Forum, Carnegie-Mellon, Harvard Law’s Berkman Center for Internet and Society and Stanford Law’s Center for Internet and Society. [MediaPost News]

Horror Stories

US – SEC, Retailer Announce Breaches

The Securities and Exchange Commission (SEC) has announced a data breach after a former SEC employee “inadvertently and unknowingly” downloaded the names, birthdates and Social Security numbers of employees on to a thumb drive and then transferred the data to another agency. The SEC did not learn of the incident until 10 months after it occurred. It is unclear how many employees were affected. Meanwhile, retailer Lakeland has warned customers of a potential data breach after two encrypted databases were accessed. [The Hill]

US – OHSU Reports 3,000 Records Breached

The Oregon Health & Science University has notified more than 3,000 patients their personal data was compromised after it was discovered the data was placed by resident physicians on two information-sharing services. Compromised data included patient names, medical record numbers, dates of service, diagnoses and providers’ names. The school said, “There is no evidence that the data were accessed or used by anyone who did not have a legitimate patient-care need to view the information.” [ModernHealthcare]

US – Details Emerge on Monroeville Breach

A situation involving the Office for Civil Rights (OCR) and the Monroeville, PA, 911 dispatch center in which the OCR told the center is had 30 days to conduct an investigation on protected health information that was exposed for a former police chief. Details obtained by the Pittsburgh Post-Gazette reveal that details on Monroeville 911 records were available to unauthorized individuals for an extended period of time, among other revelations. Meanwhile, a programming error has led to a data breach at Indiana Family and Social Services Administration. [Health IT Security]

US – Citibike Notifies 1,200 of Breach

NYC Bike Share, the company that designs and manages the Citibike sharing system, has notified nearly 1,200 customers that their credit card numbers, names and addresses were mistakenly posted on the back pages of its website for approximately 24 hours. The glitch reportedly occurred between April 15 and late May. One customer notified by the company said she was glad to have been notified directly, though she was surprised the incident happened. Some businesses just post cryptic messages on their websites, she said, adding, “I felt in a way they handled it more responsibly.” [New York Post]

US – Stanford Breached; Recognizing Bank Breaches

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.” Meanwhile, Bank Systems & Technology writes, “we have found that many employees, even those who are technically savvy, do not recognize as reportable events the situations that commonly result in a data breach.” [Source]

US – Medicaid Patient Records Potentially Compromised Via E-mail

The Office of the Medicaid Inspector General (OMIG) has announced an internal employee in New York sent 17,743 Medicaid patient records to a personal e-mail account in October 2012. The employee did not have OMIG consent to send the e-mail and has been placed on administrative leave. The potentially compromised information may have included patients’ first and last names, dates of birth, Medicaid client information numbers and Social Security numbers, the report states. [Health IT Security]

US – 1.8m Affected by Ubuntu Breach, Apple Hacked

Ubuntu Forums has suffered a massive data breach, the company announced on its site. Every user’s local username, password and e-mail address were stolen from the company’s database. Approximately 1.82 million users are subscribed. Meanwhile, the University of Virginia has notified 18,700 students of a recent data breach after a third-party mailing vendor accidentally sent the students’ Social Security numbers in brochures mailed to home addresses, and Apple says its website for developers has been breached, but says customer information is encrypted and was not affected. [ZDNet]

Identity Issues

US – Deception Is at the Heart of PLSC-Winning Papers

At each year’s Privacy Law Scholars Conference, scholars workshop papers that bring together the academic privacy community with those working in industry, advocacy, law and government. The IAPP awards the two papers that receive the most votes from attendees with a cash prize and a speaking slot at the IAPP Privacy Academy, to be held this year in Seattle, Sept. 30 through Oct. 2. In an exclusive for The Privacy Advisor, IAPP interviews the winners and discusses their inspiration for the papers and the conclusions they’ve drawn about deceptive privacy practices and what the FTC might start doing about them. [Privacy Advisor]

Intellectual Property

US – State AGs Want Ability to Prosecute ISPs for Third-Party Content

“If you want to run a European Internet company dealing with user-generated content, be prepared to put your personal liberty at stake.” The analysis is based on recent cases involving ISP executives charged with various crimes due to the content their users posted. But Europe isn’t the only place such dangers lurk. At a meeting of the National Association of Attorneys’ General last week, it was revealed that some state AGs are drafting a letter to Congress that would exclude state criminal prosecutions from Section 230, a provision that says websites aren’t liable for user-generated content or other third-party content. Essentially, the change would allow state AGs to prosecute Internet companies, including their executives, for violating state law via publication of third-party content. [Forbes]

Internet / WWW

WW – The Good, the Bad and the Ugly of the Internet of Things

In anticipation of a roundtable discussion on the Internet of Things this November, the FTC has released submitted comments—coming from industry, privacy advocates, academics and regulators. This Privacy Perspectives post explores the potential benefits and drawbacks of this nascent phenomenon as well as the privacy discussions that need to be hashed out. Meanwhile, Kashmir Hill of Forbes writes about hacking into a smart home. [Source]

Law Enforcement

US – ACLU: Police Tracking Innocent People’s License Plate Data

An ACLU report reveals that police departments across the U.S. are using license-plate readers to capture and store information about individuals’ whereabouts—without their knowledge. The report found that data on even those who have not been accused of a crime is stored in the database. The ACLU says rules must be enacted to restrict how such technology is used and for how long such data is retained. Meanwhile, the Center for Investigative Reporting writes local officials are moving forward with a federally funded project that aims to combine data on surveillance cameras, gunshot detectors, license-plate readers, Twitter feeds and alarm notifications into a single tool for law enforcement. [The Hill]

US – Feds Arrest Five in Largest Hacking Scheme Ever Prosecuted

U.S. Attorney Paul Fishman announced today the indictment of four Russians and a Ukranian in what he is calling “the largest hacking and data breach scheme ever prosecuted in the United States.” From 2005 to 2012, Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov and Dmitriy Smilianets allegedly uploaded malware into the computer systems of large institutions like Dow Jones, NASDAQ, JetBlue and 7-Eleven, then used that access to download and sell as many as 160 million credit and debit card numbers, along with other PII. Stolen funds reached into the many hundreds of millions. [The Star Ledger]


US – NTIA-Led Group Releases Code of Conduct

After a year of meetings and deliberations, the multi-stakeholder group organized by the National Telecommunications and Information Administration released yesterday statements showing general support for its Short Form Notice Code of Conduct, along with concrete examples of what the “nutrition label”-like short-form privacy notice might look like. These new notices won’t replace long-form privacy notices, but will serve as quick guides to which information is being collected by mobile apps and for what purpose. However, use of the short-form notices remains voluntary, and, noted Adweek, only two of the stakeholders committed concretely to use of the code of conduct. Other groups, such as the ACLU and EFF, voted to support the short form notices, but without committing to a full endorsement. And another 17 groups voted for more consideration. “It is not a consensus and not done,” said Stu Ingis, of the Direct Marketing Association. [WashingtonPost]

US – DAA, NAI Each Release Mobile Privacy Rules

The Digital Advertising Alliance (DAA) has unveiled its long-anticipated mobile privacy code. The rules state that ad networks and other related third parties should provide notification for online behavioral advertising—also known as cross-app advertising—with a provided opt-out. Additionally, ad networks and app developers must obtain opt-in consent from users for geolocation and address-book data collection. The grace period for implementation is expected to be nine to 12 months, potentially longer. The DAA is also working on an AdChoices opt-out icon for mobile apps. DAA counsel Stu Ingis said, “We envision that there will be an app that has the AdChoices icon in it, that consumers can download…Through the app, consumers can exercise choice with respect to all of the third parties.” DAA member the Network Advertising Initiative has released their final version of mobile privacy rules as well. [MediaPost News]

US – Study Says Short-Form Notice Can Be Ambiguous

A new study conducted by Carnegie Mellon University (CMU) reveals that the U.S. Commerce Department short-form notice proposal, as it currently defines data collection notice categories, has the potential to confuse consumers. The proposal calls for app developers to describe data types that will be collected—such as “biometrics”—and what types of third parties receive collected data—such as “ad networks.” The study surveyed 800 consumers and four experts about which terms they would use to categorize collection practices. Lorrie Cranor, a CMU computer scientist who oversaw the study, said the terms are “not well-defined, even the experts weren’t sure how to apply them,” and added, “When you have a bunch of lawyers and policy people coming up with the consumer tools, they’re not going to come up with something that is necessarily usable.” [Online Media Daily]

US – Study: Mobile Health Apps Carry Privacy Risk

According to a new study released yesterday by Privacy Rights Clearinghouse, many mobile health apps carry privacy and security risks. The report surveyed 43 free and paid apps—including the top 20 paid apps in health and fitness categories—and found several did not have privacy policies, transmit data without encryption and send user data to third parties such as ad networks and analytics companies. Privacy Rights Clearinghouse Founder Beth Givens said, “Data security and privacy—from a technical standpoint—is abysmal.” [GigaOm]

WW – Next Gen Video Game Consoles Raise Privacy Concerns

There are growing concerns about the privacy and data collection capabilities of the next generation of video game consoles. With more integration planned between consoles and social networking sites and video chat platforms, including Skype, “consoles are becoming as connected as the other devices we use every day,” the report states. The new systems will also feature motion- and voice-controlled technology used for recognizing users. Electronic Frontier Foundation Senior Staff Technologist Seth Schoen said, “Video game consoles pose problems akin to those of mobile phones because users often have very little visibility into what devices are doing and very little control over the software running on the devices.” [NBC News]

Online Privacy

WW – Mozilla Unveils Personalization Project, Catches Flak

Mozilla announced on its Labs blog it has begun testing a new personalized browsing experience with Firefox, whereby users choose with which Web sites to share which PII in exchange for personalized content. Elsewhere, the company explained how this fits with its philosophy of “Personalization with Respect.” However, while TechCrunch noted this is still just in the testing stages, AdWeek called the announcement “ironic” in light of the company’s Do Not Track stance, and lined up advertising representatives to say worse: “So the takeaway is that it’s OK for Mozilla to track, but not third parties?” asked Alan Chapell of Chapell & Associates, co-chair of the Mobile Marketing Association’s privacy committee. [Source]

US – Twitter Transparency Report Shows Growing Government Demand for Data

Twitter says the U.S. government continues to make the most requests for data on subscribers. In the first six months of the year, federal authorities made 902 requests for user information. In the same period last year, it requested information on 815 subscribers, the company’s transparency report indicates. Additionally, the U.S. government’s requests comprised 78% of all requests for user data. In its latest blog post, Twitter said it has “joined forces with industry peers and civil liberty groups to insist that the U.S. government allow for increased transparency into these secret orders.” [Washington Post]

US – Just How Creepy Is Predictive Search?

The New York Times reports on the new trend of apps utilizing predictive search to alert users to information they didn’t know they needed. From Google Now to Evernote to MindMeld, these apps scan users’ e-mail, calendar, notes and other items in the cloud or on a device to predict which information will be useful in the near future. A user might receive an alert that traffic is bad between midtown and the suburbs because the app knows that’s where the 10 a.m. meeting is. However, some observers are calling the services invasive and creepy, while others point to issues around context. “What works for a group of 30-something engineers in Silicon Valley may not be representative of the way that 60-year-old executives in New York tend to use their phones,” says UPENN Wharton School Prof. Andrea M. Matwyshyn. [New York Times]

US – Pinterest to Honor DNT Settings

Pinterest has added new site-personalization features for users drawn from their web-browsing activities but has also provided users with an opt-out choice. The company also announced it will support and honor users’ who select Do-Not-Track settings. “We’re excited to give everyone a more personalized experience,” Pinterest wrote in a blog post on Friday, “but we also understand if you’re not interested! We support Do Not Track, and you can change your account settings anytime.” The Electronic Frontier Foundation (EFF) supported the moves, which are similar to that of Twitter. “Hopefully, the decisions of Twitter and Pinterest are the vanguard of a new industry standard around respecting Do Not Track and soon this will be the default of all major websites,” the EFF wrote. [GigaOm]

WW – Terms and Conditions Documentary Examines Internet Privacy Issues

Terms and Conditions is a recently released documentary that examines the evolution of Internet privacy policies over the last 15 years. A dozen Internet privacy bills were introduced prior to September 11, 2001, but all were abandoned in the wake of the attacks. Instead, the PATRIOT Act was put in place, which led to the NSA’s wide-reaching data gathering practices. Assurances of anonymity have disappeared. The film compares Google’s privacy policy from December 2000 with that from December 2001. In short, the earlier policy clearly states that users’ identities are not traceable through cookies, but the one from a year later indicates that cookies might be able to be used to identify a particular user. That later policy says, in part, “Google will not disclose its cookies to third parties except as required by a valid legal process such as a search warrant, subpoena, statute or court order.” The film also addresses Facebook’s data retention practice. When users delete or remove content from their profiles, it merely gets flagged as deleted, but it still remains in the Facebook data banks and is accessible to Facebook or government agencies. [ArsTechnica]

US – W3C to Miss July Deadline for DNT

The World Wide Web Consortium (W3C) will not meet its “last call” deadline for putting out a Do-Not-Track proposal for public comment. W3C Co-Chair Peter Swire, CIPP/US, said, “There is not a way to get to last call by the end of July,” adding, “Next Wednesday, we will have a discussion about where we are and next steps.” According to the report, the group still has the opportunity to work on the proposals, but “the talks have turned so acrimonious that it seems unlikely the group will ever agree” on a Do-Not-Track standard for headers sent to browsers. [MediaPost News]

Other Jurisdictions

US – States Reviewing Policies Due to Anonymity Concerns

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law. [Bloomberg]

AU – Australian Government Considers Joining Merkel’s Agreement

The Australian government is considering participating in a global data protection agreement put forward by German Chancellor Angela Merkel following revelations of the U.S. National Security Agency’s (NSA) PRISM surveillance program. Meanwhile, Australian Federal Police Commissioner Tony Negus says there is no link between the NSA revelations and Australia’s push for a mandatory data retention regime. In an opinion piece for CNN, Sen. Al Franken (D-MN) writes he’s working on legislation that would require the U.S. government to report annually how it uses surveillance programs, including how citizens’ data is being collected and who sees it. And in another op-ed, former head of the U.S. Justice Department’s Office of Legal Counsel writes that NSA data collection shouldn’t be constrained. [ZDNet]

JP – Railway Company Apologies for Selling PII

Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states. [The Wall Street Journal]

Privacy (US)

US – Industry Groups Push for Federal Breach Notification Law

At a House hearing, industry groups called on Congress to move toward a federal data breach notification law. According to some witnesses, the current patchwork of state notification laws are burdensome for business. Though the hearing was mostly informative, according to the report, House Energy and Commerce Subcommittee Chairman Lee Terry (R-NE) expressed interest in pursuing legislation. Rep. Henry Waxman (D-CA) warned that federal legislation should not undercut state standards that already “have strong breach notification laws.” The Senate last month introduced federal legislation. [The Hill]

US – Legislator Calls on FTC to Curb Brick-and-Mortar Tracking

Sen. Charles Schumer (D-NY) has called on the Federal Trade Commission to institute rules to allow shoppers to opt out of smartphone tracking at brick-and-mortar retail stores. Schumer said that participating stores are “going to know a lot about you by following you around, even if you don’t purchase, even if you’re just browsing.” He also added that children can be tracked, and collected data may be stored indefinitely. [CBS New York]

US – Court Dismisses Class-Action Claim Against Gaming Site

The U.S. District Court for the Central District of California has dismissed a majority of the claims brought against Blizzard Entertainment, Inc., after a 2012 data breach. Hackers had gained access to customers’ accounts, including e-mail addresses and cryptographically scrambled versions of passwords. Among other allegations, the plaintiffs claimed the company failed to notify users of the breach in a timely manner. The court said the plaintiffs “failed to allege adequate harm.” Meanwhile, a Colorado clinic reports it has fired an employee in its billing department who improperly e-mailed some patients’ protected information to her own personal account. [Mondaq]

US – Digital Advertiser Settles Privacy Violation

Digital marketing company PulsePoint has agreed to settle charges by the acting New Jersey attorney general and the New Jersey Division of Consumer Affairs that it bypassed consumers’ privacy settings in Safari browsers. The company allegedly used cookies to bypass settings that are designed to block targeted ads. Acting New Jersey Attorney General John J. Hoffman said, “This settlement puts online advertisers on notice that they must respect consumers’ privacy settings, or end up paying far more in penalties than any violations would generate in ad revenue.” Another provision of the settlement requires PulsePoint to post its data collection practices on its website. A company spokeswoman said PulsePoint took “user privacy very seriously” and that the cookies in question had been “primarily limited to technical purposes such as fraud detection” and not for targeted ads. [The New York Times]

US – Reddit Joins Lobbying Group

Link-sharing and discussion website Reddit has announced that it has joined the Internet Association, a Washington lobbying group. The association was founded last year and lobbies on topics including surveillance laws, privacy, regulation and cybersecurity. “In spite of reddit being an incredibly effective way to lower workplace productivity, we’ve also seen how online communities can have a transformative economic impact,” said Reddit’s general manager. The Internet Association recently wrote to the U.S. Executive branch and congressional leaders calling for greater transparency on national security-related requests for user data from Internet service providers. [The Hill]

US – The Privacy (and Security) Pro in the White House

Much has been made of Nicole Wong’s appointment to work on privacy matters in the White House under U.S. CTO Todd Park, but there’s another privacy pro in the White House who actually has “privacy” in his title: Ari Schwartz, Director for Cybersecurity Privacy, Civil Liberties and Policy, National Security Staff, who started in the job this past month. The Privacy Advisor gets the first interview with him about his new position. Meanwhile, Politico talks about growing pains for the PCLOB, with which Schwartz will be working closely. [Privacy Advisor]


US – Obama Seeks Industry Incentives, Including Limited Liability

A “preliminary” presentation has been set forth by the Department of Homeland Security that looks into offering incentives to industries that adopt voluntary cybersecurity standards. Potential incentives include tax breaks, cyberinsurance “perks” and protection against legal liability. A White House representative noted the presentation is a “snapshot in time” and it only “reflects some preliminary analysis.” Cybersecurity legislation failed to pass Congress last year so the Obama administration’s cybersecurity executive order relies on industry cooperation. The DHS and National Institute for Standards and Technology are working with business to create a framework. Meanwhile, cybersecurity experts weigh in on the recent announcement that DHS Secretary Janet Napolitano will retire. [POLITICO]

UK – Intelligence Agencies Support Security Assessment for Large Companies

UK intelligence outfits GCHQ and MI5 are supporting an effort from the Department of Business, Skills, and Innovation, that asks the UK’s largest listed companies to take part in a Cyber Governance Health Check. The process involves having the companies’ chairpeople and audit committee heads complete web governance questionnaires. The companies’ audit committees will have the opportunity to discuss security issues discovered, and participating organizations will be able to view anonymized information about other participating organizations. [ZDNet] [] [Telegraph] [ComputerWorldUK]

US – Cybersecurity Bill Draft Is Circulating

There is no shortage of guidance for privacy and security professionals charged with designing and implementing a secure information infrastructure; existing regulations, ISO standards 27001 and 27002 as well as industry-wide practices are just the most prominent sources. But if congressional leaders get their wish, there will soon be yet another source of guidance: the Cybersecurity Framework from the National Institute of Standards and Technology. [Source]

WW – Cyber Insurance Policies on the Rise

Cyber insurance has become increasingly popular among businesses. That’s because of high-profile data breaches at companies including Citigroup and Sony and at governments around the world, the report states. “We’ve reached a threshold where people are now coming to us instead of us going to them,” said one industry executive, adding that his company, Aon Corp., has sold more cyber insurance policies within the last year and a half than in the five years prior. [Live Insurance News]

US – USDA Mobile Device Security Program Not Living Up to Expectations

Officials at the US Department of Agriculture (USDA) say that a mobile device security system it solicited in November 2012 is not functioning as specified in the contract. The solicitation from November 2012 specified “a fully functional 30 day pilot with vendor support … ready to support a minimum of 3,000 mobile devices.” The project is roughly a year behind schedule and parts of the project are incompatible with USDA’s network security infrastructure. The vendors hired for the USDA project are the same as those with which the Pentagon’s Defense Information Systems Agency (DISA) recently signed a three-year, US $16 million contract to provide security for 300,000 mobile devices. Neither DISA nor the Department of Agriculture required verification that the software being purchased is compatible with their existing software – resulting in extreme delays and significant additional costs at Agriculture and probably at DoD as well. [NextGov]

WW – Most Mobile Companies Have Fixed SIM Card Flaw

Nearly all mobile companies have patched a serious flaw that affected more than 500 million phones; the fixes were delivered within 10 days of notification. Karsten Nohl said that his team had found a way to remotely access and control mobile devices’ SIM cards. In some cases, the SIM cards could also be cloned. Attackers could exploit the flaw to eavesdrop on communications, pilfer information from accounts, and commit identity fraud. The attack allowed hackers to obtain SIM cards’ digital keys. The attack involves sending a text message to the SIM card that in certain cases, results in the card returning data that can be decrypted to reveal the key. [NBC News] [The Guardian]

WW – Researchers Hack Into Car Computer

Two security experts have demonstrated how they can hack into an automobile’s computer network to control essential functions, including shutting off the brakes. Charlie Miller, a security engineer at Twitter, and Chris Valasek, an intelligence security director at IOActive, have received a grant from the Pentagon to discover security vulnerabilities in automobiles. “When you lose faith that a car will do what you tell it to do,” Miller said, “it really changes your whole view of how the thing works.” Miller and Valasek plan to share their finding at next month’s Defcon hacker meeting in Las Vegas. A representative from Toyota said the real concern isn’t physically hacking into a car, as the duo have done, but wirelessly hacking into a car. “We believe our systems are robust and secure,” the representative said. [Forbes]

UK – Judge Bans Publication of Paper on Car Security System Hacking

A UK high court judge has ruled that a trio of computer scientists may not publish a paper describing how a weakness in a cryptographic algorithm used to identify automobiles’ ignition keys. The injunction was sought by Volkswagen, which also owns Porsche, Audi, Bentley, and Lamborghini. The Megamos Crypto system, which is discussed in the paper, is used by a number of the luxury car brands. Volkswagen asked that the researchers publish a redacted version of the paper because they maintain the information could be used to steal cars. The researchers say that the information is available online. They also notified the manufacturer of the vulnerable chip nine months ago to give the company time to address the security issues before they planned to present the paper. [ArsTechnica] [BBC] [The Register] []

WW – Governments Ban Lenovo PCs from Accessing Classified Networks

A recent report from Australia’s Financial Review revealed that for the past seven years, the governments of the US, the UK, Australia, New Zealand, and Canada have banned the use of Lenovo PCs to access classified networks. Together, these countries make up the “five eyes” electronic eavesdropping alliance. The ban was prompted by concerns that the Chinese government may have installed backdoors to allow monitoring. Lenovo acquired IBM’s PC division in 2005. When the US State Department purchased 16,000 Lenovo PCs in 2006, legislators’ security concerns resulted in the machines being relegated to use only on unclassified networks. [InformationWeek] [The Register] []

WW – Questionable Apps in Google Play Store

Symantec says that over the last seven months, it has detected more than 1,200 suspicious or questionable apps in the Google Play store for Android. Most are removed from the store shortly after their appearance, but some remain available for several days. The objective of apps can be difficult to discern, especially when they employ several layers to obfuscate their intent. [InformationWeek] [ComputerWorld]

WW – Apple and Samsung Smartphone Antitheft Technologies to be Tested

The “Secure Our Smartphone” initiative asks phone makers to implement technology that will help reduce smartphone theft. This week, state and federal prosecutors in California plan to bring in experts who will try to defeat security measures on smartphones provided by Apple and Samsung. Apple’s iPhone 5 will have the “Activation Lock” feature enabled, and Samsung’s Galaxy S4 will come with the LoJack for Android feature. Federal prosecutors are still hopeful that the companies will eventually manufacture smartphones with kill switches. [CNET] [ComputerWorld]

WW – Cybersecurity Moved From 12th to 3rd Place on Lloyd’s Risk Index List

Lloyd’s Risk Index 2013 places cybersecurity near the top of the list of risk factors faced by businesses. Risk of cyber incidents was ranked twelfth in the 2011 Index and has moved, in three years, to third, following only high taxation and loss of customers. Cyber issues top the list of political, crime, and security risks. This may be attributable to increased politically and ideologically motivated attacks and the increased cost associated with attacks. The report questions whether organizations “are spending money on the right things” to effectively address cybersecurity, and posits that spending money on security measures and making sure that security recommendations are implemented might be a better investment than purchasing insurance policies that cover cyberattacks. An April 2013 report from the Insurance Information Institute suggests that about two-thirds of cyber incidents are due to issues within organizations’ control. [Lloyds Risk Index] [Lloyds Press Release] [Lloyds Report]


US – Senators Seek Changes to FISC, Section 215

Sen. Richard Durbin (D-IL) said changes to foreign intelligence surveillance court proceedings are needed and proposed adopting “a real court proceeding” to approve wiretapping requests, The Wall Street Journal reports. “Let’s have an advocate for someone standing up for civil liberties to speak up about the privacy of Americans when they make each of these decisions,” Durbin said, along with proposing the release of redacted FISA court transcripts. In a special to The Washington Post, Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) urge the White House to “end the bulk collection of Americans’ phone records and instead obtain information directly from phone companies, using regular court orders based on individual suspicion.” The prevailing sentiment, The New York Times reports, is that momentum is building in Congress to alter NSA surveillance.

US – NSA Amendment Voted Down In House

In a close vote, the U.S. House of Representatives defeated an amendment that would have prevented the National Security Agency from collecting large volumes of phone records. The 205-217 vote followed “impassioned debate over citizens’ right to privacy and the steps government must take to protect national security.” Rep. Jerrold Nadler (D-NY) said of Section 215, the provision under which the NSA collects phone metadata, “It’s going to end—now or later…The only question is when and on what terms.” Rep. Mike Rogers (R-MI) said he would draft legislation in the coming months to add more privacy protections to government surveillance programs. In an op-ed for The Times, David Brin writes of increased surveillance: “You can either fight this new era, or embrace it.” [The New York Times]

US – US House Defeats Measure to Rein In NSA Data Collection

By a narrow margin, the US House of Representatives voted down an amendment to the DoD Appropriations Act of 2014 that would have restricted the NSA’s authority for bulk collection of phone record metadata. Under the defeated amendment, the NSA would still have had the authority to collect phone records of suspects related to anti-terrorism investigations. The White House opposed the amendment, saying “this blunt approach is not the product of an informed, open, or deliberative process.” [WIRED] [ArsTechnica] [ZDNet] [ComputerWorld] [The Atlantic]

CA – Ontario Commissioner Discusses Dangers of Metadata

The Ontario Information and Privacy Commissioner Ann Cavoukian discusses the term “metadata,” frequently used since revelations of the U.S. National Security Agency’s surveillance program. While government officials defend the use of metadata, claiming it isn’t privacy invasive because it doesn’t access telecommunications content, Cavoukian says this is “fanciful thinking–perpetuating a myth that is highly misleading. The truth is that collecting metadata can actually be more revealing than accessing the content of our communications.” Cavoukian has also published a white paper on the topic.[Toronto Star]

US – Court Renews NSA’s Authority to Gather Phone Metadata

The US Foreign Intelligence Surveillance Court has renewed its order granting the National Security Agency (NSA) authority to collect metadata from telecommunications companies. The decision to renew the program was made “in light of the significant and continuing public interest in the telephony metadata collection program.” The order does not allow access to content of phone calls or the identity of subscribers. [ComputerWorld] [ZDNet] [Ars Technica]

US – US Justice Dept. Says NSA Snooping Does Not Violate Constitutional Rights

The US government has responded to a series of lawsuits challenging the NSA’s authority to snoop on phone records, saying that the intelligence agency’s activity cannot be challenged in court. The Obama administration maintains that the actions do not violate citizens’ constitutional rights and are conducted in the “public interest.” [WIRED] [US DOJ Filing]

US – NSA Adopts Procedures to Protect Data on its Networks

New rules adopted by the National Security Agency (NSA) aim to protect the top-secret data stored on its networks. A “two-man rule” requires that two systems administrators to work together when accessing systems containing highly classified data. The system is based on a similar procedure used in the handling of nuclear weapons. The NSA also plans to implement strong encryption for its most sensitive data. [NY Times]

NZ – Bill Would Expand NZ Intelligence Agency’s Domestic Surveillance

New Zealand’s parliament is poised to pass legislation that gives the Government’s Communications Security Bureau (GCSB) broader surveillance powers, including the authority to wiretap New Zealand citizens’ communications. GCSB’s domestic surveillance activity gained attention last year after it tapped communications of Megaupload founder Kim Dotcom, an action found to be illegal because Dotcom was a resident of the country. Public opposition to the bill is growing. [The Register] [] [NZHerald]

Telecom / TV

US – NJ Supreme Court: Get a Warrant for Cellphone Info

The New Jersey Supreme Court ruled that law enforcement must acquire a warrant prior to obtaining tracking information from a suspect’s cellphone. The ruling “puts the state at the forefront of efforts to define the boundaries around a law enforcement practice” that has divided courts around the country, and the issue will likely end up before the U.S. Supreme Court. Meanwhile, a House appropriations panel has unanimously adopted an amendment that would require law enforcement to get a warrant before accessing e-mail and other online messages. The amendment was added to the Fiscal Year 2014 Financial Services and General Government Appropriations bill and the privacy requirement covers the Internal Revenue Service, the Securities and Exchange Commission and other regulatory agencies. [The New York Times] [Text of decision]

US – Appeals Court Says No Warrant Required for Accessing Location Data

The US Fifth Circuit Court of Appeals in New Orleans, Louisiana, has ruled that law enforcement agents do not require warrants to track suspects’ locations through cell phone records. The ruling overturns an order from a federal judge in Texas. The new ruling indicates that cell phone records are the property of the carrier and are therefore not subject to reasonable expectation of privacy under the Fourth Amendment. Instead, the information is considered a business record. A court order is still required to search the records, but the requirements for obtaining a court order are less stringent than those for obtaining a search warrant. The Louisiana court cited the Stored Communications Act in support of its ruling. [CNET] [ComputerWorld] [ArsTechnica] [The Atlantic] [Text of Decision]

US – Fifth Circuit Decision “Doomed” at SCOTUS Level

Mark Joseph Stern contends that this week’s Fifth Circuit Court of Appeals decision that authorities do not need warrants to extract historical location data from cell phones “is doomed at the Supreme Court” level. “The Fifth Circuit’s cellphone ruling is almost certain to be reversed in the near future, barring a dramatic change of heart from one of the Supreme Court’s privacy lovers,” he writes. Meanwhile, TIME takes a look at five recent privacy cases in a report examining how the Supreme Court defines the right to privacy. [Slate] See also: [WSJ: Judges Ask Supreme Court to Take On Cell-Phone Searches]

US – Razor-Thin House Vote Prompts Privacy Action

A “razor-thin defeat” of a congressional measure to curb domestic surveillance and the subsequent reaction from lawmakers and privacy advocates. One former NSA analyst-turned-whistleblower said, “It doesn’t mean the end of it. It’s the beginning.” Sen Patrick Leahy (D-VT) announced the Senate Judiciary Committee will hold a hearing next week entitled, “Strengthening Privacy Rights and National Security: Oversight of FISA Surveillance Programs.” Rep. Adam Schiff (D-CA) is crafting legislation to create a special privacy advocate to appear in front of the FISA court as an “adversary.” The New York Times delves into the FISA court judges and the role played by Chief Justice John Roberts in choosing them. [The Guardian]

US – PCLOB To Meet With Private Sector

The Privacy and Civil Liberties Oversight Board (PCLOB) is slated to meet with Internet and telecommunications companies to determine what data and access to company servers they’ve provided to the U.S. government, Bloomberg reports. The move comes after the PCLOB held a hearing last week with privacy experts and former government officials. “It’s valuable to hear company perspectives on how the programs operate,” said PCLOB Chairman David Medine. “We want to hear both sides of it. We want to hear the government side, but we also want to hear the private-sector side.” Also, the PCLOB is getting reinforcements: Sharon Bradford Franklin is leaving The Constitution Project to join the board as executive director, The Hill reports. Meanwhile, a coalition of Internet companies and civil liberties groups are calling on the Obama administration and Congress to expand the disclosure of U.S. government surveillance programs. [Source]

US Government Programs

US – Senate Strongly Presses NSA; Bills Introduced; Classified Docs Released

A recent Senate Judiciary Committee hearing saw senators from both sides of the aisle press representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata. Committee Chairman Patrick Leahy (D-VT), on several occasions, expressed deep concern about the amount of Americans’ data being collected under Section 215. A number of senators said they were introducing legislation to narrow the scope of the collection of phone metadata. Obama administration representatives said they were willing to “reevaluate” the program. [Privacy Advisor]

US – Senators Aim to Change NSA’s Data Collection Practices

Undeterred by a recent House vote that failed to restrict NSA’s data gathering practices, a number of US senators say they plan to introduce legislation that will focus on the NSA’s phone data collection practices. The legislators say they want to make the NSA’s activity more transparent. Senator Al Franken (D-Minnesota) plans to introduce a bill that will require the NSA and other intelligence agencies to disclose the number of people whose information they have collected, and allow companies to disclose the numbers of surveillance requests made by government agencies. Senator Richard Blumenthal (D-Connecticut) will seek changes at the Foreign Intelligence Surveillance Court, adding the presence of public advocate lawyers. Senator Dianne Feinstein (D-California) wants the length of time that the data are held reduced from five years to two or three years. [ComputerWorld] [Ars Technica]

US – Documents Show Lawmakers Knew of NSA Data Gathering

Documents released by US intelligence officials earlier this week show that legislators were aware of the NSA’s wide-reaching data collection practices, but were prohibited from discussing the issue. The intent of releasing the information is to “allay concerns that the Obama administration was overstepping its legal authority.” [WIRED]

US – NSA Chief Defends Data Gathering Programs, Asks Disagreers to Help

In his keynote address at the Black Hat security conference in Las Vegas, NSA chief General Keith Alexander defended the agency’s data collection and surveillance practices. Alexander maintained that there have been “zero abuses of NSA PRISM,” and that the data gathering is an essential part of fighting terrorism. He said that the data collection programs have been mischaracterized, and that the allegations that they are “collecting everything [are] not true.” Alexander noted that queries of the collected phone call metadata are restricted. Alexander also told audience members, “If you disagree with what we’re doing, you should help us [make it better].” [WIRED] [ArsTechnica] [CNN] [SC Magazine] [NextGov] [CNN] The General’s entire keynote, defending NSA’s practices, is available on YouTube at the official BlackHat channel ]

US Legislation

US – Sen. Leahy Introduces FISA Privacy Act

Senate Judiciary Chairman Patrick Leahy (D-VT) has introduced legislation to reform America’s surveillance powers. The FISA Accountability and Privacy Protection Act of 2013 —which is cosponsored by nine additional senators—would narrow the scope of Section 215; allow for judicial review of “gag orders” provisions; move up the FISA Amendments Act sunset clause by two years; require the inspector general of the intelligence community to conduct a comprehensive review of the current law and its impact on citizens’ privacy, and mandate the release of an unclassified report for the public on the impact of the surveillance programs on individual privacy, the report states. The Senate Judiciary will host a hearing on privacy and the NSA disclosures on Wednesday. [Slate]

US – Hearing on Breach Notification

The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade held a hearing that saw industry groups pushing for a federal data breach notification law. Bloomberg reports that the push aims to create one streamlined process to preempt the differing requirements in 46 states and the District of Columbia. Corporate Counsel reports this is the fourth time in eight years the house has considered such a law. “The subcommittee called six witnesses representing technological and telecommunications trade groups, privacy software companies, and academia,” all of whom advocated for a federal standard, but differed on how it should read.

US – Hulu Argues No VPPA Violation

The online streaming company Hulu is facing a potential class-action lawsuit for violating the Video Privacy Protection Act (VPPA) for disclosing its customers viewing habits. While the company admits to sharing the information, it argues in court papers that because the data is associated with an ID number and not personal information there is no violation. “The consumers alleged in their lawsuit that third parties could figure out people’s identities from their User IDs, given that Hulu included the User ID in the Web page addresses of users’ profile pages.” Hulu claims in the court papers to have stopped this practice two years ago. [MediaPost]

US – Judge Orders Google to Reveal Blogger

A Manhattan judge says there is compelling enough evidence to unveil the identity of an anonymous blogger who has created blogs titled and “The web blogs…are causing actual, pecuniary injury to Mr. Schulman’s reputation as a zealous advocate for consumers against debt collection companies,” states Schulman’s court petition. Google questioned the necessity of revealing the bloggers identity, but the judge has ordered them to do so, though Schulman has yet to even file a defamation suit. The blogger has an opportunity to challenge the discovery, according to the report. Unless that happens, Google has two weeks to comply. [Wall Street Journal]

US – Congressmen Introduce Bill to Curb ID Theft of Deceased

Reps. Sam Johnson (R-TX) and Xavier Becerra (D-CA) have introduced HR 2720 to address the privacy of recently deceased individuals. “The bill would mandate that, starting January 2014, only death information older than three years would be made publicly available through the (Social Security Administration’s Death Master File), which will prevent criminals from filing fraudulent tax returns before the legitimate family files its return,” states the press release.

US – Bill To Spur EHR integration Between DoD and VA

Sen. Bill Nelson (D-FL) introduced The Servicemembers’ Electronic Health Record Act of 2013 (S. 1296), to set a one-year timeline for the integration of electronic health records between the Department of Defense and the Department of Veterans’ Affairs, among other things. The bill would amend the Wounded Warrior’s Act and requires the agencies to create standard forms and methods for data sharing, including giving consideration to storing data in the cloud. According to the report, a similar bill has been proposed in the Senate (H 2590), which has 44 co-sponsors and has been referred to the House Armed Services and Veteran’s Affairs Committees. [FierceEMR]

US – Judge Allows Orgs to Seek Dismissal of Wyndham Lawsuit

In a closely watched case, a federal judge in New Jersey will allow the U.S. Chamber of Commerce and other organizations to seek dismissal of a lawsuit filed by the Federal Trade Commission (FTC) against Wyndham Worldwide Corp. TechFreedom’s Berin Szoka said, “The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law.” As a consequence, companies do not have much by way of guidance from the FTC for what constitutes deceptive and unfair practices. University of California Berkeley Prof. Chris Hoofnagle said the dismissal is a “Hail Mary effort to stop the FTC from enforcing its unfairness power.” [ComputerWorld]

US – Lawmakers Preparing Legislation in the Wake of NSA Surveillance

In light of NSA surveillance programs that have recently garnered the world’s attention, Sen. Al Franken (D-MN) is drafting legislation that he writes “will require the federal government to annually report how it uses key authorities under the Patriot Act and the Foreign Intelligence Surveillance Act, including the authorities underlying the phone metadata and the PRISM electronic surveillance programs that recently came to light.” Rep. Mike Rogers (R-MI), chairman of the House Intelligence Committee, said on Wednesday that he would draft legislation in the coming months to add more privacy protections to government surveillance programs. According to The Huffington Post, Rep. Adam Schiff (D-CA) is preparing legislation that would create a privacy advocate to appear in front of the Foreign Intelligence Surveillance Court. This newest draft is the third proposal in Schiff’s push to reform the FISA court. He has also drafted laws “to declassify and publish the court’s opinions and to shift the power to choose its 11 judges from the Supreme Court’s chief justice to the president,” the report states.

US – CA Ballot Initiative Could Establish “Very Different Set of Privacy Rules”

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert for Technology’s Legal Edge. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes. Full Story

US – States Reviewing Policies Due to Anonymity Concerns

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records, Bloomberg reports. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law. Full Story

UK – ICO Says License-Plate Cameras Broke Law

The Hertfordshire Constabulary’s use of seven cameras to monitor traffic coming and going from the town is against the law, reports BBC. The force failed to carry out a privacy impact assessment, and according to the head of enforcement at the Information Commissioner’s Office, “The use of ANPR (automatic number plate recognition) cameras and other forms of surveillance must be proportionate to the problem it is trying to address. After detailed inquiries…we found that this simply wasn’t the case in Royston.” The police have been ordered to remove the cameras unless they can justify the use.

CN – Chinese Ministry Issues Telecom, ISP Privacy Rule

The Ministry of Industry and Information Technology of the People’s Republic of China has issued a new rule entitled Provisions on the Protection of Personal Information of Telecommunications and Internet Users, reports Hunton & Williams’ Privacy and Information Security Law Blog. The rule aims to implement the requirements of last December’s Decision on Strengthening Protection of Online Information, and is in keeping with the nation’s push toward protecting personal information. The rule imposes requirements on the collection and use of personal information by telecommunications and Internet service providers including collection limitations, use limitations, access and correction rights and breach notification.

UA – Federal Law in UAE: Photo and Video Without Consent Is Illegal

After the arrest of an official for assault, the official’s family has filed a case against the person who videoed the attack on the grounds of privacy invasion, reports Emirates 24/7. The cameraman has been arrested under Article 378 of the penal code, which makes publishing by any means material of an individual’s private life against the law. “It is not allowed for anyone to film others without the permission of the public prosecutor, or with the written permission of the person(s) who appear in the pictures. In this case it will be considered a violation of privacy,” said Major General Khamis Mattar Al Muzinah, acting chief of Dubai Police, adding, “At modern times in my view this law is highly significant in protecting a person’s private/family affair.”

Workplace Privacy

US – CIO Council Issues Social Media Guidance

The CIO Council has issued guidance calling on government agencies to be transparent about their use of social media. The guide, Privacy Best Practices for Social Media , states, “By being transparent about what type of information the agency is collecting and how it is collecting it, the agency can help minimize the public’s concern that the government is monitoring individual speech and actions on social media.” The guide offers best-practice advice on establishing a social media program and using social media for information sharing, among others. The guide recommends limiting “information gathering to facts surrounding an event” and collecting PII only “in very limited situations,” the report states. [GovInfoSecurity]

US – Survey: Employees Mistrust Policies; Some Orgs Don’t Have Them At All

An online survey of almost 3,000 employees in the U.S., UK and Germany showed that when it comes to “bring your own device (BYOD),” only 30% said they trust their employer to keep personal information private and not use it against them. The survey indicated a level of confusion over what constitutes personal information. Meanwhile, ZDNet cites Acronis’ 2013 Data Protection Trends Research report indicating the majority of Australian organizations don’t have a BYOD policy and 33% don’t allow personal devices into the corporate network. [The Telegraph]



01-15 July 2013


NZ – Privacy Issues Raised In Face Recognition for Problem Gamblers

The Department of Internal Affairs says the use of facial recognition technology for problem gamblers at gaming machines raises privacy issues. The technology, developed by the company Positive Outlook, takes photos at the machines and locks them down when an excluded gambler approaches. It is being trialled at a Hamilton pub and may be used at other pubs and clubs around the country. Regulatory services general manager Maarten Quivooy says significant issues need to be worked through before the technology is used more widely, as there are concerns about who manages and has access to the database that stores people’s images. He says there are also questions about the speed and level of accuracy of the camera technology, and the cost. Positive Outlook says the technology does not breach privacy. A company director, Bruce Tevarthen, says as it is an opt-in system, only images of those who have elected to formally enrol are held. He says the images database is administered by an independent party. [Source]


CA – Canadian Senate Remands Bill C-377

On June 26, Liberal, Conservative and Independent senators joined together in a rare demonstration of non-partisan co-operation to amend Bill C-377, a private member’s bill that would have forced labour unions to publicly disclose an unprecedented amount of personal information relating to individual Canadians and businesses, and post them, with names, on the Internet. The Privacy Commissioner of Canada testified that this would be a “significant invasion of privacy.” We were told repeatedly by constitutional experts that the bill was unconstitutional, that the issues addressed fell within provincial jurisdiction, and that we would be exceeding our constitutional jurisdiction if we passed it. Five provinces told us the bill should not proceed. These were governments of every political stripe — Liberal, NDP, Parti Québécois and Conservative. Together, they represented more than 70 % of the population of Canada. They told us the bill could destabilize labour relations in their provinces; one minister said it would be “a grenade in the room of collective bargaining.” A Senate committee sat for three weeks of hearings studying Bill C-377. They heard from 44 witnesses. The overwhelming weight of the evidence was that the bill was deeply flawed. Many Canadians have written to applaud the actions of the Senate in amending the bill and returning it to the House of Commons for further consideration. They say it demonstrates exactly why the Senate exists, and the importance of sober second thought. [Source] See also

CA – Supreme Court Will Hear Case Dealing With Privacy Rights for Cellphones

The Supreme Court of Canada is taking on the question of whether police can access information on a cellphone that isn’t protected by a password. The court has agreed to hear an appeal from Kevin Fearon, who was arrested after an armed robbery in Toronto in 2009. Police obtained photos of a gun and cash, as well as a text message about jewelry, after taking a closer look at Fearon’s phone, which was unlocked. After he was convicted, Fearon appealed, arguing that police breached his rights when they examined the phone after his arrest. The Ontario Court of Appeal said it was all right for the police to look through the phone in a cursory fashion to see if there was evidence relevant to the crime, but after that they should have stopped to get a search warrant. Had the phone been password-protected or otherwise locked to anyone other than its owner, “it would not have been appropriate” to look through the phone without a search warrant. The appeal judges referred to a decision in a murder case in which the judge did not allow evidence from a personal electronic device because it “functioned as a mini-computer,” which has a high expectation of privacy. The contents of that device were only extracted by a police officer using specialized equipment, the judges noted. “There was no suggestion in this case that this particular cellphone functioned as a ‘mini-computer,’ nor that its contents were not ‘immediately visible to the eye,’” the court said in its ruling. “Rather, because the phone was not password-protected, the photos and the text message were readily available to other users.” Defence lawyer Sean Robichaud said that approach failed to take into account the amount of information many people keep on their cellphones these days. Fearon also appealed over the issue of access to a lawyer, saying he was left in an interview room for five hours without an opportunity to contact counsel. The Supreme Court, however, said the appeal will be limited to the cellphone issue. [Source]

WW – International Privacy Coalition Call on the EU to Increase Data Protection

In response to revelations regarding PRISM and related surveillance programs, privacy advocates from the U.S., Canada and Europe have issued a consensus statement calling on the EU to increase data protections. The EU’s data protection framework has been a model of privacy protection for many countries in the world, including Canada. The EU framework gives citizens vastly more privacy protections than citizens have in the US. The EU is currently reforming its data protection framework and the US is lobbying heavily to see EU privacy protections eroded. Gathered in Washington, DC for the conference on Computers, Freedom and Privacy (CFP), a dozen groups from both sides of the Atlantic joined the “Washington Statement,” including the American Civil Liberties Union (ACLU), the Electronic Privacy Information Center (EPIC), European Digital Rights (EDRi), Privacy International, and the British Columbia Civil Liberties Association (BCCLA). The group warned policymakers that “Our common future, on both sides of the Atlantic, needs privacy and a strong European law. We call on European policy makers to defend this human right now, as an essential prerequisite for preserving privacy, freedom of thought and of expression in vibrant democracies.” [Source]

CA – Businesses Push for Freedom to Share Personal Data Across Borders

If business groups in Canada and the United States get their way, new free-trade rules would limit the ability of governments to block cross-border flows of personal and financial data. The Canadian Chamber of Commerce, which speaks for 200,000 businesses across the country, is joining the U.S. Chamber of Commerce to push for new data standards in future free-trade deals, starting with the 12-country Trans-Pacific Partnership. The lobbying push is part of an
effort by the business community to stamp out what it sees as rising “digital protectionism” – everything from Internet censorship to privacy laws mandating the storage of certain personal data within countries. “What we’re seeing increasingly is that governments are trying to impose controls on the flow of data in a variety of ways,” said Perrin Beatty, the Canadian chamber’s president and chief executive officer. [Source]

CA – Media Trampled on Terror Suspects’ Rights: Civil Liberties Group

The mob of reporters and photographers that swept through the suite of a Surrey, B.C., couple charged in the alleged Canada Day terror plot had no legal right to snoop through their home, according to the BC Civil Liberties Association (BCCLA). Two days after Mounties arrested Amanda Korody and John Nuttall, their landlord allowed media members to walk freely through the basement suite. A QMI Agency staffer who went into the house twice witnessed a reporter rifling through a notebook belonging to the couple and videotaping pages. He also noticed things were moved after his initial visit — drawers and closets were opened and artifacts appeared rearranged and grouped. The QMI Agency legal team advised the newsroom to refrain from publishing photos from inside the house. BCCLA executive director Josh Paterson said no one should have been in the house in the first place, as there’s only a handful of specific reasons a landlord can legally enter a suite. “They can do it if there’s an emergency, they can do it if they have to show the unit, or if the tenant had abandoned the unit, but there’s no information here to suggest any of those things are true,” he said. “Just because you got arrested and maybe put in jail, doesn’t end your residential tenancy. That’s a whole separate process. [Source]

CA – Canadian Retailers Using Postal Code Information to Target Customers

In line at the cash at the LCBO, Ikea or Walmart, the cashier takes your card and asks for your postal code. Why is she asking? What should you do? Retailers, including the LCBO and Ikea, say postal code information is collected to fine-tune services for customers, including product selection, and to target flyers to specific neighbourhoods to reduce waste and save money on postal services. But the potential exists for using postal code information to compile personalized mailing lists that can be sold or shared. Data collection and management companies including Harte-Hanks Data Services and Solutions, which operates worldwide, offer businesses the ability to use software to match postal codes with credit card information to come up with unique addresses. “Users simply capture names from the credit card swipe and request a customer’s ZIP code during the transaction. GeoCapture matches the collected information to a comprehensive database to return an address,” according to information posted to the firm’s website. “Works at the point of sale to identify customers, understand purchase behaviour and follow up with dynamic, personalized marketing.” Canadians are more worried than ever about the misuse of their personal information, according to the results of a survey released late last year by the Office of the Privacy Commissioner of Canada. “Seven in 10 think that their personal information has less protection in their daily lives than it did 10 years ago, an increase of 10% since 2011. As well, the majority (56%) are not confident that they have enough information to know how new technologies affect their personal privacy which is the highest expression of a lack of confidence for this question since tracking began in 2000,” the survey found. It also found that Canadians are reluctant to share their personal information with organizations (57% never or rarely do so), and most (60%) have asked for an explanation of how an organization will use their information. No one is obliged to divulge their postal code at point of purchase, says Scott Hutchinson, a spokesman for Canada’s privacy commission office. “People who may wish to entertain the request should be encouraged to ask why the information is needed and what it will be used for; and if they don’t like the answer, they can be equally encouraged to simply just say ‘no,’ ” he says in an email to the Star. [Source]

CA – Ontario Privacy Commissioner Receives Anti-Bully & Online Safety Award

Ontario’s Information and Privacy Commissioner Ann Cavoukian is the latest recipient of the  KnowledgeFlow CyberSafety Champion award for her relentless drive to raise awareness in support of the most important causes affecting youth and families in the information age. “Dr. Cavoukian consistently raises the bar across a number of important domains. Her efforts to curb the victimization of the most vulnerable members of our society is something that we are proud to recognize” said Claudiu Popa, CEO of Informatica Corporation and founder of the Initiative. [Source]


US – Americans Divided on Snowden; Young Alito Pushed for Protections

The New York Times reports on a poll indicating division among Americans on whether Edward Snowden is a traitor or a whistleblower. The Quinnipiac University poll indicates the majority of those surveyed—55% —said he was a whistleblower for revealing the National Security Agency’s (NSA) PRISM program, while 34% said he was a traitor. Meanwhile, a report cited in the Electronic Privacy Information Center’s lawsuit asking the Supreme Court to halt the NSA’s surveillance program indicates that Supreme Court Associate Justice Samuel Alito, in his days as a Princeton undergraduate, urged strict safeguards to protect personal privacy online. [Source] [US: Poll Shows Complexity of Debate on Trade-Offs in Government Spying Programs] See also: [Post Mortem, What Happens to Your Account Info?]

US – Complaint Filed Over Jay-Z/Samsung App

The Electronic Privacy Information Center (EPIC) has filed a complaint on Jay-Z and Samsung’s Magna Carta Holy Grail app. “Samsung failed to disclose material information about the privacy practice of the App, collected data unnecessary to the functioning of the Magna Carta app, deprived users of meaningful choice regarding the collection of their data, interfered with device functionality and failed to implement reasonable data minimization procedures,” EPIC said in its complaint, filed July 12. [Arts Technica]


AU – Govt Releases Security and Privacy Requirements for Cloud

The federal government has set out provisions for government agencies using cloud without compromising security or privacy. Attorney-General Mark Dreyfus said the policy will help government agencies make decisions around whether to offshore or outsource processes and requires agencies to seek government approval before storing personal information in the cloud. The policy follows the May release of the and the Australian Government Cloud Computing Policy v2.0. Dreyfus said several privacy safeguards have been built into the policy, which has been called the Australian government policy and risk management guidelines for the storage and processing of Australian government information in outsourced or offshore ICT arrangements. Under the policy, approval will be required by both the minister responsible for the information and the Attorney-General before personal information can be stored in the cloud. [Source] See also: [How to address the risks of 24/7 government] and [How Ontario faces big data privacy challenges]

JP – Japan Govt Used Wrong Privacy Settings in Google Groups

Japanese government officials and journalists have mistakenly revealed internal memos, draft stories and interview transcripts by reportedly using the incorrect privacy settings in Google Groups. Yomiuri Shimbun, a Japanese newspaper, reports it found more than 6,000 cases where public or private organizations revealed nonpublic information, including hospital records, via the wrong privacy settings. [ZDNet]


US – Google Glass Privacy Concerns Persist in Congress

U.S. Rep. Joe Barton of Texas says he is “disappointed” in Google’s response to privacy worries caused by the emergence of Google Glass. In a statement released after the Republican congressman reviewed Google’s response to a letter sent to the company by members of the Congressional Bi-Partisan Privacy Caucus — a group set up to examine the privacy issues Google Glass causes — Barton said he believes that the general public needs to be given more choice to ensure their privacy is not violated. In May, congressional leaders wrote to the tech giant to establish what controls will be put in place to protect consumer privacy. Addressed to Google CEO Larry Page, the letter (PDF) questions whether Google Glass will “infringe on the privacy of the average American,” and asks what place facial recognition technology will hold in relation to the headset’s ability to record video and take photographs. Google, in response to the letter, says that “protecting the security and privacy of our users is one of our top priorities,” and one way of doing so is making sure Google Glass requires voice activation to take video footage or shoot images. In addition, Google says that such actions activate the product’s screen, which is a change visible to others. To address facial recognition technology worries — where personal information about others or objects could be revealed without consent — the tech giant says that it “will not be approving any facial recognition Glassware at this time,” and will “prohibit developers from disabling or turning off the display when using the camera.” No changes in Google’s privacy policy are planned with the emergence of Google Glass. Finally, Google says that all files stored on the device will be deletable by users. Headsets can be remotely wiped in the case of loss or theft, and the company is currently experimenting with different ways to “lock” Glass flash memory to secure data. [Source]

US – Google Glasses Secretly Film Arrest

Documentary filmmaker Chris Barrett captured an arrest using Google’s wearable computer during a trip to the Jersey Shore boardwalk on July 4, where he witnessed a fight resulting in police intervention. Barrett filmed the incident without being noticed, the report states. “More notable than the video itself is the ease at which it was captured without the knowledge of those in the middle of the melee. His footage foreshadows the rapidly approaching future where everything can be filmed serendipitously by folks wearing devices like Google Glass without the knowledge of the parties involved,” wrote Thompson Reuters’ Christophe Gevrey. [Business Insider]


US – Microsoft Provided NSA More Help Than Previously Disclosed

Relying on NSA documents provided by Edward Snowden, The Guardian reported that Microsoft recently worked with the FBI to help the NSA get around encryption on Microsoft services, such as online chats on, and to monitor conversations on the company’s Skype service. The newspaper also said that Microsoft worked recently with the FBI to streamline the way NSA can access users’ files on SkyDrive, Microsoft’s online document storage service, when Microsoft is required to provide that information for foreign-intelligence purposes. Microsoft said it doesn’t provide governments with blank or direct access to Microsoft services. [Wall Street Journal]

IN – Indian Govt Can Now Intercept Consumers’ BlackBerry Communications

BlackBerry has come to an arrangement with the Indian government to allow “lawful interception” of communications in realtime. The system allows the Indian government to track consumers’ communications sent to or from any Blackberry device, regardless of whether the message has been delivered or read. The system does not include corporate email messages sent over BlackBerry Enterprise Server. News of the arrangement has raised questions among analysts about whether the Indian government will now turn its attention to Apple, whose iMessage and Facetime services use end-to-end encryption. [ZDNet] []

EU Developments

EU – European Parliament Demands Information on PRISM

The European Parliament has passed a resolution demanding that the US government provide “full information on PRISM and other such programmes involving data collection.” In addition, the European Parliament Civil Liberties Commission has voted to launch an “in-depth inquiry” into privacy and civil rights issues for EU citizens raised by PRISM. The Parliament is calling on member nations to consider putting a hold on counter-terrorism data transfer agreements with the US until the data are better protected. [ComputerWorld] [WashingtonPost] [Europarl] [[Europarl]

EU – EU Special Committee to Investigate Spying Reports

As headlines continue to abound regarding concern from EU officials and member states, EurActiv reports the European Parliament “plans to establish a special committee to investigate reports that an American spy agency monitored phone calls and e-mails of EU institutions and some member states.” The panel, which will be established as part of the Committee on Civil Liberties, Justice and Home Affairs, will deliver its report by year’s end and “formulate proposals on adequate redress measures in case of confirmed violations and put forward recommendations to prevent that similar espionage events happen in the future,” the report states. Following communication with U.S. Attorney General Eric Holder, Justice Commissioner Viviane Reding said, “The U.S. appears to take our concerns regarding PRISM seriously,” noting Holder has committed to setting up an expert group “to assess the matter in detail…and the group will have its first meeting this month and a second one in Washington in September.” Meanwhile, in a TechNewsWorld interview, Oxford Prof. Viktor Mayer-Schönberger opines, “People feel they have been deceived; people feel that they cannot trust the U.S. government.” [Source]

EU – EU Wants Data Protection Bill by May 2014

EU Justice Commissioner Viviane Reding is calling to accelerate movement on the data protection bill currently stuck in the European Parliament’s civil liberties committee. “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file,” said Reding in her appeal on Monday. Meanwhile, Hogan Lovells’ Christopher Wolf opines in Financial Times that “it is wrong to assume the U.S. is the worst regarding surveillance,” arguing that Europe does its fair share. [EUObserver] SEE ALSO: [Breach Requirements Are Coming: Roundup]

EU – Netherlands: The Dutch Cookie Monster

On June 5, 2012 new Dutch legislation on the use of cookies entered into force. This new regime, which introduces a requirement for informed consent based on an opt-in system, has major implications for online advertising companies focusing on Dutch customers. To implement Directive 2009/136/EC [ePrivacy Directive], the law regarding cookies in The Netherlands has now been revised to include a consent that should be given explicitly by the internet-user in cases of “third party” and “tracking cookies”. The same requirement of explicit consent applies should a provider want to place cookies for online behavioural advertising purposes. [Source]

EU – Majority of Retailers Say New Rules Will Harm Business

More than two-thirds of online retailers say proposed changes to EU data protection rules will damage business. That’s according to a recent survey by the European Multi-channel and Online Trade Association, which represents more than 80 percent of EU online traders, the report states. The survey polled 90 companies from the UK, Germany, Austria, France, Sweden, Switzerland, Greece and Spain. [EurActiv]

EU – Sky Deutschland to Broadcast Ads Directly into Train Passengers’ Heads

Sky Deutschland has developed technology to transfer adverts from train windows directly and silently into commuters’ heads. Passengers leaning their head against the window will “hear” adverts “coming from inside the user’s head”, urging them to download the Sky Go app. The proposal involves using bone conduction technology, which is used in hearing aids, headphones and Google’s Glass headset, to pass sound to the inner ear via vibrations through the skull. BBDO spokesman Ulf Brychcy told the BBC: “If our customer Sky Deutschland agrees, we will start with the new medium as quickly as possible. [Source]

EU – Dutch DPA Rules Against Mobile Telcos

The Dutch Data Protection Authority (DPA) has found that four mobile phone operators–KPN, Tele2, T-Mobile and Vodafone–violated Dutch laws regarding user data retention and anonymization. According to the regulator’s study, which began in 2011, the companies failed to delete or anonymize data such as websites visited and apps used as quickly as possible, as regulations require. Of the four, KPN is reportedly the only operator to have resolved each of the issues identified by the investigation. The others claim to be actively addressing the issues in cooperation with Dutch regulators. Meanwhile, Bird & Bird’s Berend van der Eijk has said a bill proposing fines of up to €450,000 for public and private organizations that fail to meet notification requirements “is very likely” to pass, noting the earliest it would enter “into force would likely be 1 July 2014, or more realistically, 1 January 2015.”

CH – Swiss DPA Releases Annual Report

Switzerland’s DPA has issued its 20th Report of Activities, covering the timeframe of April 2012 to March 2013. Hunton & Williams’ Privacy and Information Security Law Blog details the report’s focus on several data protection issues including employer monitoring of employee behavior at work, businesses’ social media and loyalty program analytics and whistleblowing provisions.

EU – Regulators Prepared to Take Action Against Google

The UK Information Commissioner’s Office (ICO) has written to Google to warn the company that it could take “formal enforcement action” if it does not alter its privacy policy by September 20. “In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act,” an ICO spokesperson said. The updated policy “does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.” Meanwhile, Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar says his office will join other European regulators, including Spain, in taking action against the company. []

EU – DPA Asks Facebook for Clarifications

The Italian Data Protection Authority, the Garante, is requiring Facebook to provide clarifications by July 20 on personal data processing following recent announcements of a “bug” that cause the exposure of personal information. Panetta & Associati Studio Legale’s Rocco Panetta writes, “Facebook has already assured that the unwanted data processing has occurred due to a mere technical bug.” Despite that, he notes, the Garante is requiring confirmation on six points, including the duration of the event and measures taken to resolve the issue. [Privacy Advisor]

EU – Twitter Gives Anti-Semitic Posts to Authorities

Microblogging site Twitter has complied with a French court’s request to hand over tweets related to a number of racist and anti-Semitic messages that were posted on its site. An appeals court ruled last month that the company must hand over the names of the users propagating the anti-Semitic messages, raising the thorny issue of online anonymity and hate speech. Twitter said in a statement that handing over the data will “put an end to the dispute” and that it will work with the Union of Jewish French Students to “fight racism and anti-Semitism.” [CNET News]

Facts & Stats

US – California AG Breach Study Highlights Importance of Encrypting Data

A report from California’s attorney general found that in 2012, 2.5 million California residents had their personal information compromised in the 131 security breaches that were reported to the AG’s office. The report also notes that had companies encrypted their stored data, 1.4 million people would not have had their personal information exposed. Under state law, breaches do not need to be reported if the data affected are encrypted. [SCMagazine] [Press Release] [California’s first data-breach report finds 131 incidents hit  2.5 million citizens] and [NZ: Privacy breaches already at 20]


WW – Visa and Mastercard Blocking Payments to Some VPN Providers

Swedish online payment service provider PaySon says that Mastercard and Visa have ordered the company to stop allowing payments to some virtual private network (VPN) providers and anonymization services. The new focus on VPNs and anonymization services appears to be directed at five companies that have been linked to P2P piracy. In a related story, WikiLeaks says that its Icelandic payment processor, Valitor, is once again accepting donations from credit cards for the organization. In 2010, Mastercard and Visa ordered payment processors not to process payments to WikiLeaks. An Icelandic court ruled recently that Valitor must resume processing payments to WikiLeaks. [TechEye] [The Register] [TechDirt] [ArsTechnica] [Reuters]


WW – Privacy Concerns out of M-Pesa Mobile Banking

The mobile phone-based money transfer system M-Pesa, which has brought mobile banking to the poor in Kenya, can be used to identify unsuspecting users, potentially compromising their privacy. Grace Githaiga, a Nairobi-based ICT expert, said in order to use the system, a user must submit their ID card number and address, which in turn are transferred to an M-Pesa agent. According to Githaiga, it’s not clear where the data ends up. Additionally, a loophole in the system means users can identify other users who might otherwise wish to remain anonymous. She notes that Kenya does have pending data protection legislation, though not an existing law, “but that tells you that there’s debate around data protection, and some of these things are going to be raised in that bill.” [Deutsche Welle]

CA – Privacy Debate Looms as Canada Prepares to Share Bank Data with U.S.

Tightening tax evasion versus protecting personal privacy looms large for Canada as it prepares to announce a deal with the United States to share banking information. The arrangement would allow Ottawa to soften the blow for Canada – and the roughly one million Americans who live here – when it begins complying with the more controversial aspects of a sweeping new U.S. law that takes effect on Jan. 1. The Foreign Account Tax Compliance Act (FATCA) was signed into law in March 2010, and many of its provisions start on Jan. 1, 2014. It requires financial institutions in other countries to tell the U.S. Internal Revenue Service about Americans’ offshore accounts worth more than $50,000. Canada and the U.S. are negotiating whether Ottawa or the financial institutions will send the information, but the clock is ticking. If no deal is reached, banks operating in Canada will have to give the data directly to the IRS. Canada and the U.S. already share financial information to track activity like money laundering and terrorist financing, but the U.S. tax act creates a need to sort out exactly what will be shared and how.  Canadian banks have urged Ottawa to take on the reporting duties through the Canada Revenue Agency, which could ensure that privacy laws are respected when information is sent south of the border. Over the past year, the U.S. has signed bilateral deals to enforce the act with Germany, Japan, Spain, Norway, Switzerland, Ireland, Mexico, Denmark and the United Kingdom. The FATCA has created considerable concern for Americans in Canada, given that many have long ignored a U.S. rule requiring citizens to file annual tax returns even if they are not earning income in the United States. The leaders of the G8 recently pledged support for the automatic transfer of financial information to crack down on global tax evasion. “The privacy implications of FATCA in Canada will depend on the details, which have yet to be determined,” said the federal Privacy Commissioner’s office. “Many of the people who have contacted us have expressed concern about their personal information being shared with U.S. authorities.” That concern is warranted, said Queen’s law professor Arthur Cockfield, who specializes in tax law. “No foreign government should be able to come into our country and demand personal information about our own citizens and residents,” he said, noting that the negotiations are aimed at smoothing over this problem by ensuring exchanges are mutual and at the government-to-government level.  “There’s really been a conceptual shift around FATCA in the last, say, three or four months,” he said. “It was mainly hated by Canada and at least some European governments.” Mr. Cockfield said stories on tax evasion by the International Consortium of Investigative Journalists, which began in April and for which he provided commentary, have clearly changed the international political scene as European leaders began promising automatic exchanges like FATCA. [Source]


US – US Justice Department Revises Policies on News Media Data Seizure

Revised guidelines from the US Department of Justice limit the government’s access to journalists’ records except in cases in which the journalist is the subject of a criminal investigation. Ideally, journalists are protected by the First Amendment regarding freedom of the press and the Fourth Amendment regarding unreasonable search and seizure, as well as the privacy Protection Act and other laws. The need for a revised and clarified policy became evident when the government launched an inquiry that characterized a journalist as a spy, criminalizing his efforts to obtain information from a source; and when the government obtained phone records for AP journalists. [Information Week] []

US – NY Court Takes Up Teacher Pension Privacy Issue

New York’s highest court will soon decide whether the names and benefits of retired teachers in public pension plans should be made public. The Empire Center, a project of the fiscally conservative Manhattan Institute think tank, was denied the names by the state and city teachers’ retirement systems under the state Freedom of Information Law. In refusing to release the information, the teacher pension systems cited a recent court decision that protects police retiree names. Lower courts agreed with that privacy argument, and the Empire Center appealed to the Court of Appeals, which accepted the case last week. The Empire Center collects such data for its own research, for news media and for private individuals to track how public money is spent and to help identify any abuses. The center doesn’t seek addresses or other data from the records, which were once provided by the retirement systems as public documents. Arguments are expected within weeks; a decision could come weeks later. Empire Center Director Timothy Hoefer said the Court of Appeals decision to take the case is seen as a “ray of hope for public transparency.” [Source]


WW – Little Debate on Privacy as DNA Collection Flourishes

The collection of DNA by governments around the world is flourishing but there is a lack of public debate about the privacy and ethical issues raised by such collection. Yaniv Erlich of MIT’s Whitehead Institute for Biomedical Research said there is a lot of upside to having DNA databases, but said, “our work shows there are privacy limitations.” Others have warned of “mission creep” where law enforcement use DNA to gather data on racial origins, medical history and psychological profiles. A University of Baltimore forensics professor said, “There’s got to be a debate… Do we want to have a society where 5% of the crime is unsolved, or do we want to have a society where 100 percent of the crime is solved” but privacy goes extinct? “What’s the trade-off?” [The Associated Press] [Spread of DNA databases sparks ethical concerns]

WW – Privacy and the Family Genetic Inheritance

In this audio episode of Family Caregivers Unite, Dr Gordon Atherley interviews Ma’n Zawati, LLB, LLM, a lawyer and Academic Coordinator of the Centre of Genomics and Policy at McGill University. He shares his personal story, describes his research and work as a lawyer, and explains the Centre’s research regarding family genetic information. He discusses protections provided by privacy and security laws against theft and disclosures of our genetic information that could be harmful to us. He suggests ways in which the principles underpinning laws could be improved so our genetic information and that of our families can be better protected. He says what more he wants to do and see done by governments to improve laws to protect against abuse of our and our families’ genetic information. He says what more help is needed by individuals and their families so they can understand and speak about their fears of the risks of abuse of their genetic information. He shares his message for family caregivers. [Source]

US – Court Ruling On DNA Swabs Worries Local Privacy Advocates

A major decision handed down by the Supreme Court puts the right to privacy up for debate. The court ruled it is ok to take a DNA mouth swab from a person simply while under arrest to see if they could be connected to unsolved crimes. Law professor and defense attorney Richard Kling calls it a “dangerous precedent” but admits a mouth swab is just like a fingerprint. “With no probable cause and with no warrant and no consent, you can now be forced to give a DNA swab which can be used to investigate you for anything and everything — regardless of whether you’re under suspicion,” said Kling. “It creates this massive database nationally of DNA,” said Ed Yohnka of the ACLU. “It opens up all kinds of opportunities for discrimination, denials for other kinds of mistreatment that frankly we shouldn’t do because government shouldn’t have the information in the first place,” said Yohnka. [Source]

Health / Medical

US – Workers Fired Over Kardashian Breach

Five healthcare workers from Cedars-Sinai Medical Center—a common destination for celebrities seeking medical treatment—have been fired for unauthorized access to 14 patient records, including those of Kim Kardashian. Representatives from the organization said they have a “high standard for security” and “in this case that standard was violated.” In other breach news, the personal records of as many as 277,000 former patients of a North Texas hospital were found in a Dallas park and included contact details and SSNs. And Long Beach Memorial Medical Center has notified 2,864 patients their medical records have been compromised. Reports state the breach stems from an internal employee but no further details have been issued thus far. [Reuters] See also: [NZ: Ryder’s privacy breached during hospital stay – investigation] and [Florida Department of Health sweeps confidential Rx data leak under rug] and [US:  Fort Worth Hospital Notifies Patients from 1980 to 1990 of Potential Records Privacy Issue]

US – Health Sites Under Scrutiny Over Mining of Data

Illinois Attorney General Lisa Madigan’s recent inquiry into the data-mining practices of popular health websites such as WebMD and Madigan has sent letters to the sites’ executives citing concerns about the dissemination of data related to web surfers’ health-related searches, the report states. “Health-related information, which would be protected from disclosure when said in a doctor’s office, can be captured, shared and sold when entered into a Web site,” Madigan wrote, adding that consumers likely overlook such concerns if information on disclosures is buried in privacy policies. One researcher recently found third-party entities often track patients searching health-related terms. [The New York Times] See also: [Privacy, security concerns of enabling patient access to PHI]

US – Digital Diapers Track Children’s Health

Newly developed baby diapers complete with digital tracking technology can detect potential urinary tract infections, kidney dysfunctions and dehydration. Developed by Pixie Scientific, the diaper connects to a smartphone app and can transmit the health data to a central database where a physician can interpret the information. The technology is currently being tested by a number of children’s hospitals and, if successful, would then be submitted to the U.S. Food and Drug Administration for approval. Pixie Scientific’s founder said, “You really don’t want to overload parents with data they don’t understand…Eventually, the quantified self idea will be mostly silent and unobtrusive, just something inside the existing flow of life.” [The New York Times]

Horror Stories

US – WellPoint to Pay US $1.7 Million for HIPAA Violations

The U.S. Department of Health and Human Services (HHS) has announced that insurance provider WellPoint has agreed to pay a $1.7 million fine for inadequately protecting a database containing more than 600,000 personal records, according to an HHS press release. Between October 2009 and March 2010, the health data of 612,402 individuals—including names, addresses, birth data and Social Security numbers—was accessible online. The investigation revealed WellPoint “did not have adequate policies and procedures for access to the online application database” that was breached and did not have “technical safeguards” in place for access verification. WellPoint was ordered to pay US $100,000 to the state of Indiana to settle charges resulting from a breach that exposed personal information of 32,000 Indiana patients. [SC Magazine] [ComputerWorld] [BusinessWire] [IT World] See also: [North Carolina: Some security experts criticize Blue Cross’ handling of private data] [Wyndham, LabMD Cases Challenging FTC: Two cases could disrupt FTC’s data security authority]

UK – ICO Fines NHS Surrey Over Patient Data on Resold Hard Drive

NHS Surrey has been fined GBP 200,000 (US $302,000) over data remaining on a hard drive sold on eBay. The storage device held records of nearly 3,000 patients and had been given to a third-party for secure destruction. The drive in question was in a PC that was part of a lot provided to the data destruction company. All the hard drives and data were supposed to be destroyed, and the company had provided certificates saying that the actions agreed upon had been taken. The ICO chastised the hospital for providing inadequate oversight of the data destruction company. [TechWorld] []

UK – Sony Drops Fine Appeal

Sony has abandoned its appeal of a GBP 250,000 (US $376,000) fine imposed after a 2011 PlayStation Network (PSN) hack. The UK Information Commissioner’s Office (ICO) fined Sony in January 2013, after finding the company negligent for inadequately protecting PSN user data. Sony initially said it would appeal the fine, but has since changed its position, citing the company’s “commitment to protect[ing] the confidentiality of [its] network security from disclosures in the course of the proceedings.” Sony has stated that it remains opposed to the decision. [] []

WW – Data Breach Roundup

Four million members of Club Nintendo—Nintendo’s member website—have had their names and contact information illegally accessed, according to the videogame maker. The company has been quick to note that is has not confirmed misuse of this information. “Nintendo confirmed there had been around 15.46 million fraudulent login attempts from June 9 through (last) Thursday, of which 23,926 were successful,” The Japan Times.

An employee at Guilford County Schools in North Carolina sent a PDF containing the names, addresses, grades and other records of 456 rising seniors at Page High School to a student’s guardian. The school district reports that the breach was accidental and was quickly identified and investigated.

Indiana’s Family and Social Services Administration began notifying some 187,533 individuals that the state agency accidentally disclosed their personal information, monthly benefit amounts, some medical information and even Social Security numbers to members of the public. The breach allegedly stemmed from a computer programming error.

Morningstar revealed that it suffered a breach last April, compromising personal information and credit card details from some 2,300 users of its investment research service, Morningstar Document Research. Morningstar further warned that the passwords and e-mail addresses of some 182,000 users may have been illegally accessed. The AP reports that Morningstar offered affected customers a year of free identity protection services.

The Information Commissioner’s Office (ICO) could impose a fine of up to 200,000 GBP on Herefordshire Council following a breach that was reportedly “so sensitive that to reveal its details also risks breaching the Data Protection Act.”

Pulse, a weekly medical publication, published survey results showing that the number of data breaches at 55 UK hospitals increased 20% year-on-year through June 2013. Many of the reported breaches were one-off incidents, giving rise to the possibility that the increase might reflect more thorough reporting practices and awareness rather than increased data theft or inadequate security.

In breach litigation in the U.S., the Tennessee Court of Appeals ruled that a lawsuit stemming from the hacking of Copper Basin Federal Credit Union’s computers can move forward. The lawsuit alleges that the hacking and the resulting illegal transfer of funds was a result of negligence by Fiserv Solutions, a contracted technical support provider. The complaint claims that Fiserv failed to activate the antivirus firewall and protection software it required the credit union to purchase as part of its service contract.

In Missouri, the Office of the Attorney General has determined Schnuck Markets Inc. did not violate Missouri data security law, St. Louis Business Journal reports, noting the determination follows an investigation into a widespread data breach at Schnucks.

The Federal District Court for the Middle District of Florida threw out a class-action lawsuit alleging that employees at Adventist Hospital System’s Florida Hospital Celebration sold patients’ PHI. The dismissal for lack of subject matter jurisdiction notes that as HIPAA/HITECH does not provide for a private right of action, just a regulatory penalty, there was no sufficient federal issue to justify a hearing in federal court. State law, however, may accord the plaintiffs an avenue to pursue their claims.

ID Experts has compiled 12 “top trends in data breach, privacy and security” as enumerated by some of the top minds in the field. Advanced persistent threats—long-term, undetected hacks—and globalized data thieves top the list. A colorful infographic makes things easy for those who want to do less reading. Meanwhile, Corporate Counsel offers advice for communicating with customers following a breach incident.

The University of South Carolina has sent letters to 6,300 students whose personal information may have been on a stolen laptop, Greenville Online reports. The information included Social Security numbers. The school is currently working toward a new cybersecurity program.

A Virginia trooper has been indicted on one felony and eight misdemeanor counts of computer invasion of privacy based on allegations she was improperly using the Virginia Criminal Information Network.

Personal information stolen from Michigan Department of Community Health website: Thieves have obtained the personal information of about 49,000 individuals from Michigan Department of Community Health records, a department spokeswoman confirmed.

Game company Ubisoft has announced its systems have been breached by cybercriminals, recommending users change passwords immediately. The attack divulged user names, email addresses and encrypted passwords, Ubisoft said. The company said it does not store payment information. [Source]

Identity Issues

US – Internet Groups Complain About COPPA Compliance Costs

Internet groups have complained to the FTC that new regulations to protect children’s privacy online are financially burdensome to start-ups. The regulations went into effect July 1 and not only hold sites and apps that collect data from children under 13 responsible for ensuring parental consent but also for any affiliated third-party services collecting data on their sites. The FTC estimates annual compliance costs for current web services at $6,223 and new services at $18,670. The report states 85 to 90 percent of the web services are run by small businesses. [Los Angeles Times]

US – The USPS Is Selling Data to Brokers

The United States Postal Service (USPS) has a relationship with various data brokers. According to the report, the USPS will sell change-of-address information to a data broker provided the firm purchasing the data has the user’s previous address. The USPS National Change-of-Address program (NCOA) approves licenses to approximately 500 companies. “There’s nothing terrible about NCOA, but people should be given a choice,” said privacy expert Bob Gellman. “New movers are fodder for data brokers, who sell mailing lists to marketers and who also maintain lifetime files on every household in America. NCOA is a prime source of this information.” There is, however, a loophole for consumers that prevents data brokers from accessing the updated address. [Forbes] See also: [US: Is IRS Legally Free to Expose Private Info?]

CA – Canadian ePassports Arrive July 1

Starting July 1, Canadians will receive a redesigned ePassport featuring several new security and anti-counterfeiting measures, including an electronic chip that stores the user’s personal information. Travellers are not required to replace their current passports. Older passports will remain valid until their stated expiry date, Passport Canada says. Addressing privacy concerns, the agency says the passport chips can only be read from a 10-centimetre range, making it unlikely that the chip can be read without the user’s knowledge.  Canada is the last G7 country to adopt chip-enhanced passports; over 100 countries, including the U.S., France, Germany and the U.K. already employ ePassports. [Source]

US – Equifax Credit Agency Snags TrustedID

Equifax, one of the three largest U.S. credit-reporting agencies, has acquired TrustedID, which specializes in identity protection. The terms were not disclosed in Monday’s announcement, but AllThingsD pegs the price at about $30 million. Palo Alto, Calif.-based TrustedID, which was founded in 2004, will become part of Equifax Personal Solutions, its direct-to-consumer business unit. Equifax’s interest in the smaller company is threefold: its technology is robust, its existing partner relationships (for example, its exclusive deal with AARP) are coveted, and Equifax’s own credit and identity products could use reinforcement. TrustedID’s data protection abilities reach far, from social media to snail mail. Equifax has previously indicated that it sees the personal data security market as a growth opportunity. [Source]

JP – Train Operators’ e-Ticket ‘Big Data’ Sale Sparks Privacy Backlash

Last week, JR East – Japan’s largest train operator – and Hitachi made a seemingly nondescript announcement that East Japan Railway was selling the anonymized e-ticket histories of millions of passengers as marketing data, and it almost did not get noticed. A few prominent bloggers then highlighted the fact that this is the first time that e-ticket transaction histories would be sold to third parties as marketing data, sparking a storm of discussion that has now spilled over to social networking sites. JR East continues to argue that the data is mostly anonymous. “There is no way to determine the identity of specific individuals from the data, so we feel there is no privacy issue.” [Source]

Internet / WWW

US – Utah ISP Won’t Share Your Data Without a Warrant

A tech company operating in Utah that has spent the past 15 years “resolutely shielding customers’ privacy from government snoops in a way that larger rivals appear to have not.” Xmission is Utah’s first independent and its oldest Internet service provider and has only 30,000 subscribers, but it has cited the Fourth Amendment in order to rebuff dozens of warrantless requests from local and federal law enforcement authorities. “I would tell them I didn’t need to respond if they didn’t have a warrant, that to do so wouldn’t be constitutional,” said Founder and CEO Pete Ashdown. “I’m not an unpaid branch of the government or law enforcement.” [The Guardian]

US – Researcher Finds Health-Related Searches Threaten Privacy

A researcher at the University of Southern California says patients searching for health-related information online may have their privacy threatened. Marco Huesch searched key terms such as “depression,” “herpes” and “cancer” on health-related websites. Using free privacy tools such as DoNotTrackMe and Ghostery, Huesch found third-party entities tracking him. Sampling 20 high-traffic sites, including the Food and Drug Administration and WebMD, at least one third-party entity—and as many as six or seven—were tracking him on each site, he found. Additionally, 13 out of 20 sites contained third-party elements that tracked user data, and seven of those 13 leaked Huesch’s searches to tracking entities, the report states. [AFP] SEE ALSO: [Stalkers use online sex ads as weapon]

WW – Visualizing Your Metadata

The New York Times reports on Immersion, an MIT Media Laboratory project that mines a consenting user’s e-mail metadata and creates an interactive graphic. “The result is a creepy spider web showing all the people you’ve corresponded with, how they know each other and who your closest friends and professional partners are,” the report states. Meanwhile, a German politician who sued a telecommunications company for his phone data over a six-month span has, in conjunction with ZEIT ONLINE , created a mapped visual of his day-to-day life. By combining Green Party Politician Malte Spitz’s phone data, which includes location information, with publicly available data—including information relating to his political life, Twitter feeds and blog entries—a robust and detailed interactive portrait emerges of Spitz’s personal movements. [New York Times] SEE ALSO: [You may already be a winner in NSA’s “three-degrees” surveillance sweepstakes!] and [UK Businesses Get Creative With Consumer Data at the ‘MIDATA’ INNOVATION LAB Launch] [Internet inventor Vint Cerf: No technological cure for privacy ills]

Law Enforcement

US – Security Cameras at Boston’s July 4th Celebration Raise Privacy Concerns

One thing you can expect to see in Boston on this Fourth of July: many, many more police than usual — and many more security cameras too. Law enforcement is responding aggressively to the the security issues raised by the marathon bombings, and the ACLU of Massachusetts is raising privacy concerns. Massachusetts State Police Superintendent Col. Timothy Alben said security cameras are being deployed at and around the Fourth of July events in unprecedented numbers. Operated wirelessly, the cameras’ recordings will be downloaded to a central server, he said, where, from a technical point of view at least, they could be kept indefinitely. “We haven’t developed a policy on how long we’ll keep it,” Col. Alben said. “I think again we did a lot of this in preparation for this particular event. And, as we move forward, we’ll refine the policy, I think, on keeping it.” That lack of refinement has the ACLU of Massachusetts concerned. Kade Crockford, who directs the group’s Technology for Liberty Project, says it is legitimate for law enforcement to deploy such cameras to protect safety at big public events. “That said, I think it’s very troubling that the police do not have a policy to govern the use of these cameras,” she said. Most police which use surveillance cameras do have such policies, Crockford noted. They are needed, she said, to ensure that free-speech protected activities — including anti-federal surveillance protests scheduled for the Fourth of July — are not monitored illegally. [Source]


US – Data Brokers Are Now Selling Your Car’s Location for $10 Online

Forbes reports on the business of license-plate recognition. One data broker, TLO, announced recently it has begun selling location information on license plates that have been filed and identified, and police have started using the technology to track suspects. TLO’s “massive” database claims to add up to 50 million new vehicle sightings each month. “One possible longer term issue around license-plate recognition is that new firms in the field seeking to gain market share could gather specific data such as who was visiting what churches or mosques, underground clubs or medical clinics and perhaps distribute that information more freely than companies now do,” the report states. [Source]

US – States Move on Laws Requiring Warrants for Cellphone Records

The New York Times reports on a recently passed Montana bill that requires police to obtain a search warrant before determining a suspect’s location based on cellphone carrier records. Realizing the value of metadata and the ability of cellphones to track our daily movements, Montana’s governor signed the location information privacy bill—reportedly the first of its kind in the nation—into law on May 6. Other states are working to pass similar bills. Maine’s version is on its way to the governor’s desk, and Massachusetts will hold a legislative hearing on a similar measure next week. [Source] [Source]

Online Privacy

WW – W3C Rejects Ad Industry’s DNT Proposal

The World Wide Web Consortium (W3C) has rejected the Digital Advertising Alliance’s (DAA) draft proposal for a universal Do-Not-Track standard. W3C said the DAA proposal was “less protective of privacy and user choice than their earlier initiatives.” The group says it will instead work from the “June draft,” though even privacy advocates say the draft faces “insurmountable obstacles to adoption by the deadline at the end of this month.” [AdAge] [Daily Examiner] [MediaPost: Mozilla Questions IAB’s Do-Not-Track Estimates] [As the Do Not Track standard unravels, privacy alternatives emerge]

WW – Do-Not-Track Continues To Spark Fires

Microsoft’s newest version of Internet Explorer (IE) allows users to grant permission for specific websites to log their movements. IE11 was debuted in the Windows 8.1 preview last week and features a default Do-Not-Track setting with a “user-granted exceptions” option. Meanwhile, following criticism over its plans to move forward with a project to block third-party cookies in the Firefox browser, Mozilla’s Harvey Anderson said there’s “no constitutional right that allows people to modify my computer.” The Digital Advertising Alliance has called the proposal “draconian.” [IT Pro]

WW – Twitter Adopts DNT by Default

Twitter will begin using cookies to track users and deliver advertising, but because its program abides by Do-Not-Track settings and has a clear opt-out, privacy advocates are praising it. An Electronic Frontier Foundation activist said in a blog post, “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.” Meanwhile, Vine, a video-sharing site owned by Twitter, has added privacy settings to its services—including the ability to make Vines private. [PC Pro]

WW – Facebook Rolls Out Graph Search to Millions

Several hundreds of millions of people will have access to Facebook’s Graph Search beginning this week, six months after its beta testing. The tool is “designed to take any open-ended query and give you links that might have answers,” according to Facebook CEO Mark Zuckerberg. Upon its initial release, the tool prompted concerns that it would compromise the privacy rights of minors. It “makes paying attention to privacy settings much more important if you don’t want embarrassing photos from years ago dredged up or your public contact information scraped,” the report states. [Tech Crunch] SEE ALSO: [Facebook defends Graph Search’s privacy controls for teens | Facebook blog post] and [Facebook’s new promoted-post feature sparks privacy concerns] and also: [How To Opt Out of Receiving Facebook Ads Based on Your Real-Life Shopping Activity]

Other Jurisdictions

AU – Media Companies Told to Adapt to Australia’s New Digital Privacy Laws

Changes to the Privacy Act mean digital publishers face fines of more than $1 million unless they are transparent about personal data they collect and use. The new rules come as the traditional print media targets users who now prefer to use mobile devices through social media sites like Facebook and Twitter. The warning is highlighted in a report released by the consulting group PricewaterhouseCoopers. [Source]

IN – Gov’t Surveillance Raises Trust Concerns

The New York Times reports on India’s Centralized Monitoring System—its new surveillance program—and whether citizens can trust that the government will not infringe on their privacy. The government has said it will abide by laws mandating that it receive proper authorization prior to intercepting communications and that privacy will be better protected. “But there are a host of reasons why the citizens of India should be skeptical of those official claims,” the report states. [Source]

Privacy (US)

US – How First PCLOB Meeting Affects Private Firms

At the Privacy and Civil Liberties Oversight Board’s first public meeting since its reemergence under new Chairman David Medine, the focus was very precise: What direct and concrete improvements could be made to improve “Surveillance Programs Operated Pursuant to Section 215 of the USA PATRIOT Act and Section 702 of Foreign Intelligence Surveillance Act.” Ideas generated included making the FISA Court adversarial, decreasing the vagueness around “data minimization ,” instituting a data retention law and a number of other suggestions. [The Privacy Advisor]

US – Judge Grants Chevron Access to Activists’ Online Data

A U.S. federal judge has ruled to allow Chevron, via subpoena to Microsoft, Google and Yahoo, access to the IP usage records of more than 100 environmental activists, journalists and attorneys. The company has requested the records to piece together a lawsuit alleging the oil company was the victim of a conspiracy ending up in an $18.2 billion judgment against it for the dumping of 18.5 billion gallons of oil waste in the Ecuadorean Amazon, the report states. The Electronic Frontier Foundation’s Marcia Hoffman said, “These sweeping subpoenas create a chilling effect among those who have spoken out…” The subpoena, according to ERI, requests personal information of each account holder and every login over a nine-year period. [Common Dreams]

US – The Future of Consumer Privacy Class Actions

The New York Law Journal explores the potential future of consumer privacy class-action lawsuits in light of the recent comScore decision, noting that it and “other recent decisions allowing privacy cases to proceed in the absence of actual damages suggest that the legal landscape may be changing, and that privacy could be the next significant frontier in class-action litigation.” Meanwhile, The Sun Sentinel reports malpractice lawyers have argued that a new Florida law, Ch. 2013-108, may violate patient privacy. [Source]

US – Children’s Privacy Suits To Be Heard in NJ

The U.S. Judicial Panel on Multidistrict Legislation has sent six class-action lawsuits alleging Google and Viacom “violate children’s privacy by using cookies to track their Internet use and target them for ads” to New Jersey to be heard. A nationwide class-action was filed back in December in Texas by Stephanie Fryar, who “claimed that when her sons registered and created profiles on three Viacom-operated websites…the defendants placed a cookie ‘id’ on the children’s computers to track their communications to those websites and others,” the report states, noting similar cases were filed in California, Illinois, Missouri, New Jersey and Pennsylvania. [Courthouse News Service] [National Law Journal]

US – Leslie Harris to Step Down at CDT

Leslie Harris, who has headed the Center for Democracy & Technology (CDT) since 2005, announced this month that she will resign from her post in March of 2014, just as the CDT celebrates its 20th anniversary. Harris made it clear that she is not retiring but rather “right-sizing,” and she is hardly done with her work in the privacy arena. Hear her thoughts on CPOs’ human rights obligations, the status of current legislation, where CDT goes from here and more. [Source]

US – DHS Secretary Napolitano Resigns to Head University of California System

Homeland Security Secretary Janet Napolitano, who led the burgeoning Department of Homeland Security through a host of policy changes in the era after the Sept. 11, 2001 attacks on the U.S., is resigning to head the University of California system. Napolitano, just the third person to lead the 10-year-old department, told her senior staff Friday she would be leaving to become the president of the University of California system. The university also announced Napolitano’s nomination to be the 20th president of the statewide system. A former Arizona governor and attorney general, Napolitano was appointed by President Barack Obama in 2008. She had led the department through a series of policy changes with respect to protecting the public safety, including a focus on enforcing immigration laws. [Source]

Privacy Enhancing Technologies (PETs)

WW – Pirate Bay Founder Aims to Create Spy-Proof Messaging App

It took 36 hours for users to contribute $100,000 to fund an app designed to avoid government spy agencies. The app, called, is Swedish for “secret.” It aims to give users an alternative to major tech companies. “We’re building a message app where no one can listen in, not even us,” the creators said of the product. Pirate Bay founder Peter Sunde is working with app developers to create a mobile messaging application that uses end-to-end encryption, which means that only the sender and the recipient will be able to read messages. Sunde says there will not be ads on the app and that it will not sell user data to advertisers. The funding will come solely from users, who will have to pay extra to use certain features, such as sending images. [CNET] [ComputerWorld] [Source] See also: [Kremlin Returns to Typewriters]

WW – New Privacy Enhancing Technology Preserves Web Anonymity and Privacy

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, presented the 2013 Award for Outstanding Research in Privacy Enhancing Technologies (PET) Award via video at Indiana University in Bloomington, Indiana. Dr. Cavoukian and Microsoft co-sponsor of the award, which was created in 2003 to encourage the development of technology to protect privacy, rather than to threaten it. The winners are selected by a global panel of leading technology researchers. The winning paper “Adversarial Stylometry: Circumventing Authorship Recognition to Preserve Privacy and Anonymity” is based on research conducted by Sadia Afroz, Michael Brennan, and Rachel Greenstadt. The paper examined methods for defeating stylometry which has recently been revolutionized online with advances in computer algorithms. The privacy concern which arise from stylometry is that it can be used to reliably link anonymous or pseudonymous text to identifiable individuals. In order to lessen these risks, the authors developed software called “Anonymouth” that assists users by suggesting modifications to their text defeat stylometry. [Source] [More information about the privacy technology awards]

UK – Anonymisation Network Launched at University of Manchester

The University of Manchester has launched a new expert network that will help businesses to safely manage and share sensitive information. The UK Anonymisation Network (UKAN) was supported by the University and is now led by Dr Mark Elliot, who is based at The University of Manchester’s School of Social Sciences. Funding was provided by the UK Information Commissioner, while the Open Data Institute also offered support alongside the Office for National Statistics and the University of Southampton. UKAN will provide advice to organisations and companies on how to reduce the risks around holding personal details of individuals and the inadvertent sharing of data. The network aims to lay a foundation of best practice for anonymisation and give advice to anyone who handles sensitive data, especially those in health, education and policing.  UKAN will help to deliver the Government’s Transparency Initiative, which hopes to dispel any culture of data secrecy within Government departments, public bodies, businesses and other organisations.“The network will also provide important best practice advice on how data can be successfully anonymised in compliance with the UK Data Protection Act,“ said Christopher Graham, UK Privacy Commissioner. [Source]


WW – Chinese CERT Reports Increases in Mobile Malware – 80% on Android

According to data from the National Computer Network Emergency Response Team/Coordination Center of China (CNCERT/CC), China experienced a 25-fold increase in detected mobile malware samples between 2011 and 2012. More than 80% of the malware samples targeted Android devices. Forty percent of the malware was designed to launch fee-based services on the mobile devices. CNCERT/CC also reported that in 2012, 73,000 Trojan and botnet command-and-control servers hijacked 14.2 million host machines in that country. [ComputerWorld] [ZDNet] [PCWprld] See also: [Critical Android Flaw Lets Attackers Insert Code Into Signed Apps] and [South Korean Defense Ministry to Prohibit Certain Smartphone Functionality]

US – CTO Tests Company Employee’s Phishing Smarts

Several weeks ago, the chief technology officer at Atlantic Media sent out a phony phishing email to all 450 company employees. The message appeared to come from Google Apps and asked recipients to click on a link to confirm their account information. When the employees clicked on the link, they were taken to a website that revealed the security test. About 120 employees clicked on the link. Another 120 opened the message but did not click on the link. CTO Tom Cochran noted, “Telling someone that something is bad can happen is not as good as demonstrating it.” The remaining employees either called or messaged Cochran about the suspicious message, and some flagged it in their inboxes. While Cochran believes in the value of security education for employees, Bruce Schneier says they are a waste of companies’ time and money, because “you’re only as strong as your worst offender.” Schneier noted that a better choice would be “investment in systems that take user mistakes out of the loop.” [SCMagazine]

US – Symantec Releases Mobile Privacy Product

Symantec has released a new privacy product capable of scanning a mobile device for data an application may be leaking about the user. Norton Mobile Security for Android devices checks for “malicious applications, privacy risks and potentially risky behavior.” While Norton’s suite of mobile security products have typically focused on malicious threats, Michael Lin, vice president of Symantec Mobility Solutions, said that this latest solution reacts to the fact that “now we are seeing threats impact mobile applications and data being shared without the user’s knowledge or consent.” This latest product aims to “protect users from these types of privacy threats as well.” [Source]


WW – Spying Reports Give Momentum to ECPA Reforms, Spur Legal Actions

Revelations about the U.S. NSA surveillance of domestic and foreign communications should add momentum to the already politically charged atmosphere surrounding updates to the U.S. Electronic Communications Privacy Act—and on both sides of the aisle, Politico reports. Already, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has co-sponsored a reform bill, and House Judiciary Committee Chairman Bob Goodlatte (R-VA) has pledged to make the issue a priority. In the UK, lawyers for Privacy International have filed legal papers calling for an immediate suspension of Britain’s use of material from the NSA’s PRISM program, and in the U.S., The New York Times reports on EPIC’s plans to file an emergency petition with the Supreme Court today asking that it stop the NSA’s surveillance program altogether. The Hill discusses “five unanswered questions about the NSA’s surveillance programs,” including the scope of the programs, additional data being collected under the USA PATRIOT Act and other programs the public may not be aware of, and The Guardian reports on the NSA’s bumpy ride at a recruitment drive on a U.S. college campus last week. See also [‘America has no functioning democracy’ – Jimmy Carter on NSA

EU – EU Officials, U.S. Privacy Group Seek Answers, Action

PC World reports the “European Parliament gave European Commissioners and national ministers some extra ammunition Thursday in discussions with the U.S. following allegations about American spying and the PRISM scandal: possible suspension of data-sharing agreements.” The European Parliament is asking the U.S. “to provide full disclosure of any spying activities” and has established an inquiry to review the allegations, but it “stopped short of suspending bilateral trade talks due to start on Monday,” the report states. Meanwhile, the European Commission has written to the UK for answers about its surveillance program, Tempora. In the U.S., the Electronic Privacy Information Center’s Domestic Surveillance Project announced Thursday that it plans to file a petition with the Supreme Court “to vacate the Foreign Surveillance Intelligence Court ruling” authorizing the NSA’s collection of metadata on U.S. phone calls. [Source] SEE ALSO: [Claims that France has Internet spying program similar to America’s hugely embarrassing to Hollande]

EU – German Chancellor Calls for New ISP Agreement; NSA Fallout Continues

German Chancellor Angela Merkel has called for a strict European agreement on data protection that would require all ISPs operating in Europe to reveal the personal information they keep and with whom they share it. Merkel has suggested that the requirement could be codified within the International Covenant on Civil and Political Rights, but there’s some doubt as to the feasibility of that. Meanwhile, EU Justice Commissioner Viviane Reding said revelations surrounding the U.S. National Security Agency’s surveillance program helped add momentum to the case of those already calling for stronger data protection measures in the EU. Meanwhile, Politico reports on privacy issues’ impact on U.S.-EU trade talks. [CNN] See also: [No Feds at DEF CON, What Comes Next?]

US – Brick-and-Mortar Tracking on the Rise

Last year, department store Nordstrom sought to learn more about its customers by testing a new technology that allowed it to track customers’ movements via the WiFi signals from their cell phones. But when it posted a sign telling customers they were being tracked, it heard complaints and eventually ended the program. “The creepy thing isn’t the privacy violation, it’s how much they can infer,” said one shopper. An increasing number of businesses now offer the technology for brick-and-mortar shops to track users like digital shops can. Meanwhile, the ACLU has criticized AT&T’s plans to sell anonymous customer location data, saying customers can be identified. [The New York Times] [Senator Franken Letter to Euclid] See also: [TTC suspends covert camera use]

Telecom / TV

US – AT&T Privacy Policy Updated, May Start Selling Anonymous User Data

AT&T has a new privacy policy and may begin selling anonymized user data to third parties. The company cites “more relevant advertising” as its reason for selling the data, joining other big tech companies in the practice. AT&T will offer customers the opportunity to opt out, and plans to sell demographic and device information as well as information on viewing behavior through its television service. Pointing to Verizon’s use of consumer data, AT&T’s privacy policy states, “we similarly plan to provide our customers with these sorts of personalized services, and we’re committed to doing so in line with our long-standing policy to respect and protect our customers’ privacy.” [Slashgear]

US Government Programs

US – NSA Files Show Microsoft Encryption Was Bypassed

The Guardian reports on documents obtained from Edward Snowden on the U.S. National Security Agency’s (NSA) surveillance programs that indicate encryption was bypassed to access documents. The documents show “Microsoft helped the NSA to circumvent its encryption” and the NSA had “pre-encryption stage access to e-mail on, including Hotmail,” the report states. Microsoft has responded, “When we upgrade or update products, we aren’t absolved from the need to comply with existing or future lawful demands,” noting customer information is only provided “in response to government demands, and we only ever comply with orders for requests about specific accounts or identifiers.” Meanwhile, The New York Times reports that Sen. Ron Wyden (D-OR) has said he believes the NSA may soon abandon the practice of collecting bulk phone records.[Source] See also: [US-Made Internet Monitoring Tools Detected on Networks in Sudan, Iran, and Syria]

US – FISA Court Wants Obama to Declassify Yahoo Case

The U.S. Foreign Intelligence Surveillance Court has ordered the Justice Department to review a 2008 secret court opinion—allegedly requiring Yahoo to turn over online communications of its consumers—to determine how much it can publicly release. Judge Reggie B. Walton also called on the Justice Department to review the arguments Yahoo and the government made in the case. Walton would then publicly release the court’s justification. Meanwhile, the Electronic Frontier Foundation has recognized Yahoo “with a star of special distinction” in their Who Has Your Back survey “for fighting for its users in (secret) courts.” [The Washington Post] See also: [For NSA chief, terrorist threat drives passion to ‘collect it all,’ observers say] [Can Gov’t Safely Use FISA To Justify Surveillance?]

US – Postal Service Tracking, Retaining Images of Mail

The New York Times reports on a little-known but long-running surveillance system by the United States Postal Service (USPS). Leslie James Pickering, a bookstore owner who, a decade ago, was spokesman for a radical environmental group flagged by the FBI as eco-terrorists, noticed a handwritten card mistakingly delivered with his mail stating any mail headed to his address should be shown to a supervisor first. He was being tracked by the Mail Isolation Control and Tracking program, in which the USPS photographs the exterior of every piece of paper mail processed in the U.S. The more-than-a-century-old program provides such images to law enforcement officials who request them, the report states. [Source]

US – Updated COPPA Rules Now in Effect

The US Federal Trade Commission’s (FTC’s) revised rules for the Children’s Online Privacy Protection Act of 1998 (COPPA) took effect on July 1, 2013. The law prohibits the collection of personal data from children without first obtaining verifiable parental consent. It also requires websites to have clear and accessible privacy policies, and to ensure the security of information it collects from children under age 13. The updated rules specify that personal information now includes “geolocation information and persistent identifiers that can be used to recognize a user over time and across different websites or online services,” and photos, videos, and sound recordings. COPPA applies to smartphone apps as well as websites. [Information Week] [COPPA Amendments]

US – NPPC Joins in Lawsuit over EPA Privacy Breach

The American Farm Bureau Federation and the National Pork Producers Council (NPPC) have jointly filed a federal lawsuit and temporary restraining order to halt disclosures of farmers’ personal information by the U.S. Environmental Protection Agency (EPA). The move comes after the EPA released the personal information of tens of thousands of farmers, including names, addresses and personal contact information, after a number of Freedom of Information requests by animal rights groups. Filed before the U.S. District Court for the District of Minnesota, the order seeks to stop the disclosures and clarify the EPA’s role in keeping personal data private in such circumstances. [National Hog Farmer]

US Legislation

US – Florida Attorneys Work to Overturn Malpractice Law

Five lawsuits filed in state and federal courts on Monday claim a new Florida state law (SB 1792) violates patients’ privacy rights. The law, which went into effect on Monday, aims to protect doctors facing malpractice suits and, according to one complaint, authorizes “unlimited and unfettered release of personal health information to those defendants without the valid consent of claimants.” “The law allows—but does not require—any healthcare provider called as a witness to breach patient confidentiality and give the defendant’s attorneys information about a patient’s treatment,” reports The Miami Herald. The provision applies only to the pre-filing informal fact-finding period; once a suit is filed, court rules apply.The suits, filed in Tallahassee, West Palm Beach and Miami federal courts and in state courts in Pensacola and Fort Lauderdale, claim this provision contravenes HIPAA.

US – Missouri Gov. Vetoes Workers’ Compensation Database

Missouri Gov. Jay Nixon axed a bill that would have created a database of workers who have filed workers’ compensation claims in the state. The law would’ve allowed employers to input job applicants’ names and Social Security numbers into the database to see whether they had filed a claim, the date of the claim and its status. According to a report in The Republic, Missouri’s Division of Workers’ Compensation estimated the database would start out with 554,000 records, adding about 13,000 per year.

US – Senate Issues Draft Cybersecurity Bill

The US Senate is circulating a draft cybersecurity bill. A similar measure failed last year. The bill aims to establish voluntary cybersecurity standards for organizations that operate elements of the country’s critical infrastructure. It also calls for increased research and development in cybersecurity defenses and increased software vulnerability information sharing. [NextGov] [The Register]

Workplace Privacy

US – Court Ruling Impacts BYOD

What happens to an employee’s expectation of privacy regarding her personal e-mails on her company-issued Blackberry after she leaves the company? If a recent ruling by the U.S. District Court for the Northern District of Ohio stands up to further scrutiny, the answer could be that a former employee has greater expectations of privacy after her departure than while she was still employed. In Lazette v. Kulmatycki, the court ruled the Stored Communications Act (SCA) applies to unauthorized access of employees’ personal e-mail accounts, among other determinations. [Source]

CA – Enforcement of Privacy Policy in Steel v. Coast Capital Savings Credit Union

In a recent decision of the British Columbia Supreme Court, the Court upheld the termination for cause of a help desk analyst in the IT department who had been employed for over 20 years at Coast Capital Savings Credit Union. (Steel v. Coast Capital Savings Credit Union, 2013 BCSC 527) Employees at Coast were permitted to have a personal folder in which they would keep confidential business documents. Under the privacy policy at Coast, the files in the personal folder could only be read or edited by the employee who had the folder. Help desk employees were allowed to access personal folders but could only do so to resolve a technical problem and only if the employee who had the personal folder first gave permission to the help desk to access the folder. The restrictions on access to personal folders were clearly set out in the privacy policy at Coast. An employee tried to open a confidential spreadsheet in her personal folder. She got a message on her screen that the document was already in use by the help desk. The document in question was a waiting list of employees for parking spots. This was a confidential document that had information about employees’ seniority and rates of pay. The help desk employee had not requested permission to view the document in the other employee’s personal folder. She accessed it because she was curious about the waiting list for parking. Coast terminated her employment on the basis of breach of the trust “that is required in a position that holds access to confidential and private information.” Coast stated that it no longer had confidence in her. The Supreme Court decided that the help desk employee was in a position of trust because she was “given the ability to access confidential documents” as a result of her position on the help desk. She was not allowed to do that without the consent of the other employee. The Court stated that, “the employer had to trust Ms. Steel to obey its policies and follow the protocols. It had to trust Ms. Steel to only access such documents as part of the performance of her duties and follow the protocols when she did so. Such trust was fundamental to the employment relationship in relation to Ms. Steel’s position.” Accordingly, the Court upheld the termination for cause. The Court’s decision to uphold the termination for cause of an employee with over 20 years of service for a single breach of the privacy policy is a clear indication that Courts are prepared to treat privacy issues very seriously. If employees in a position of trust violate privacy policies, they may well be subject to termination for cause. [Source]

US – BYOD Spurs Worker Worry About Personal Privacy

Employers aren’t the only ones worried about workers using their own mobile devices in the office, new research shows. A study by network access solutions provider Aruba Networks revealed that BYOD , which is the term used for employees using personal smartphones and tablets for work purposes, is causing workers to be fearful of their employer checking out their personal information. Specifically, 45% of U.S. workers worry about giving their company’s IT department access to their personal data, and 46% said they would feel violated if their IT staff were to access any personal information contained on their mobile devices. The research found that these concerns are leading many employees to keep their personal devices away from the IT department, thus putting company data at risk. Nearly 20% of U.S. workers have not told their employers that they use a personal mobile device for work. The study discovered that some employees are so insistent on keeping their mobile-device use private that they would delay or fail to inform their employer about a data breach. More than 10% of those surveyed would not report that their personal device had been compromised, even if it leaked company data, and 36% would wait before reporting the data breach. [Source]

UK – Home Office Asks Supreme Court to Make Landmark Privacy Ruling

Britain’s Supreme Court judges are being asked to make a controversial ruling on whether the criminal records disclosure system infringes the human rights of some former offenders, preventing them from getting jobs. Home Office lawyers are asking the Supreme Court justices to overturn an Appeal Court ruling that the records disclosure system violated the human rights of some people who argue that previous incidents, where they got into trouble with the police, should be kept secret. Lawyers say the hearing later this month will result in one of the UK’s most important privacy rulings to date and could further provoke critics of human rights laws who are already angry at a recent European Court ruling that criticised Britain for its system of indeterminate life sentences for people convicted of the most serious offences, including multiple murders. Some MPs have argued for tightening rules on the reporting of convictions, particularly serious ones, to deter offenders from even applying for jobs working with the vulnerable. But civil liberties campaigners claim the existing rules mean that teenage “indiscretions” can blight employment prospects for a lifetime. The Appeal Court said the records disclosure regime legitimately sought to protect employers and children or vulnerable adults, but held that the disclosure of all convictions and cautions was “disproportionate” to that aim. An independent review of the disclosure regime has already recommended the introduction of a filter to remove minor and old convictions where appropriate, but the Government says it is still considering the issue. The UK government has already faced criticism from Strasbourg on this issue after it ruled that blanket notification rules imposed on sex offenders without the possibility of review breached their human rights. David Cameron described that decision as “appalling”. The far-reaching implications of any Supreme Court ruling became clear after The IoS learnt that vetting checks on people applying for jobs in “caring professions” have turned up almost a quarter of a million crimes in the past two years alone. Nick Pickles, director of the civil liberties group Big Brother Watch, said: “The risk-averse culture within the public sector has meant people struggle to get a second chance if they have any blemish on their past.” [Source]


16-30 June 2013


CA – Poor Data Breach Tracking, Reporting Concerns Privacy Commissioner

Canada’s privacy czar has singled out several federal departments for their lacklustre approach to data breaches, citing a need for better reporting, security and tracking protocols. Jennifer Stoddart’s office has compiled a preliminary list of agencies with potentially worrisome patterns when it comes to the loss of Canadians’ personal information. The analysis is based on departmental figures tabled in Parliament in April in response to a question from New Democrat MP Charlie Angus. The response indicated there were more than 3,000 data breaches over a 10-year period affecting about 725,000 Canadians. After taking a close look at the numbers, the privacy commissioner identified nine departments and agencies that may lack adequate reporting mechanisms, have faulty security procedures or require improved tracking protocols. During a recent meeting, Stoddart urged Treasury Board President Tony Clement to amend privacy law to make reporting of federal data breaches mandatory. [Source]

CA – Gun Registry Data to Be Deleted in Quebec: Court

A Quebec court has sided with the Harper government, saying the province has no right to the federal long-gun registry data. Quebec’s highest court has ruled against the provincial government, which is trying to save data for that province from being destroyed. “Quebec has no property right in the data,” said the 14-page verdict. The data does not belong to Quebec, and the provinces have no control over it. The Parliament of Canada, which considers the data at issue to be pointless and inefficient, and believes that its existence in a registry infringes the right to privacy, can certainly decide to stop compiling and preserving that information,” it noted. Various observers have predicted the issue will wind up before the Supreme Court. The long-gun registry was scrapped in the rest of Canada last year, but remains operational in Quebec following a series of injunctions safeguarding the Quebec data and ordering the registry be maintained while the federal-provincial battle plays out in court. [Source]

CA – Saskatchewan Privacy Rights in Lag Behind Rest of West: Report

Saskatchewan’s Information and Privacy Commissioner says this province is lagging behind its neighbours in Western Canada in both privacy and access to information matters. Gary Dickson, who released his final annual report this week, says citizens of British Columbia and Alberta have stronger rights in these areas than people in Saskatchewan. His second five-year term as information and privacy commissioner ends April 27, 2014. In his report, Dickson says when it comes to access and privacy, “Saskatchewan is still a have-not province.” Dickson said he’d like to see administrative responsibility for privacy and access cases be moved out of the Ministry of Justice, citing concerns that the ministry takes an adversarial role. Another ministry might be better suited to promoting citizens’ access and privacy rights, he said. [Source] SEE ALSO: [Regina police aren’t required to identify pin pad fraud businesses] and [Canadians questioning privacy rights]

CA – Alberta Commissioner Rules Against Secret Trucker Database

This recent decision of the Privacy Commissioner of Alberta (Professional Drivers Bureau of Canada Inc. Case File Number P1884) deals with the collection of personal information of truck drivers by a private service company, called the “Professional Drivers Bureau”. This company collected personal information about drivers from trucking companies, created a database of information, and then offered a search service, by which trucking companies paid a fee for a report on the driver. In that report, the personal information about the driver was disclosed to the trucking company. The personal information was gleaned and compiled into a database over a long period of time, and it became clear during the Commissioner’s investigation that the individuals never consented to this collection, use and disclosure. The Commissioner ultimately decided that the “Professional Drivers Bureau” was in breach of Alberta privacy laws because it never obtained consent directly from the individual truck drivers. [Source]

CA – Alberta Premier Wants Anonymous Online Tool to Report Bullying

Alberta could soon move to implement a system to allow for anonymous online reporting of bullying in real-time and is also looking to give police enhanced powers to combat the harassment and abuse of young people, says Premier Alison Redford. With bullying a hot topic at Monday’s Western Premiers’ Conference, Redford said she would like to follow the path of British Columbia, which brought in an online reporting mechanism as part of its “Erase Bullying” initiative in the wake of the suicide of bullied teenager Amanda Todd. B.C. Premier Christy Clark said the system allows students to report incidents of bullying as they are happening. School personnel are notified immediately as are emergency personnel, if necessary, she told reporters at the premiers’ closing news conference. As a followup, professionals at the district level connect with the school to provide support in dealing with the bully and the victim appropriately. “The important thing about this, though, is that it’s not an app that you load on to your iPhone, because kids don’t want to have a fink app on their iPhone. “It’s an online reporting tool that you can go to on the web,” said Clark, who said there are “thousands” of cases of bullying occurring daily, but youth are afraid to report them because of the potential for retribution. [Source]


US – Retailer Sued for Collecting Customer Zip Codes

Urban Outfitters Inc., is facing a class action in Washington federal court over allegations the clothing retailer collected customer zip codes in violation of District of Columbia consumer protection laws. The complaint, filed June 21 in U.S. District Court for the District of Columbia, accused Urban Outfitters Inc. of asking for customer zip codes in a way that implied the information was required to complete a credit card transaction. The plaintiffs claimed Urban Outfitters, which also owns Anthropologie-brand stores, used the zip codes to track down customer addresses for marketing purposes. [Source]

UK – Biz Launches Data-Driven Car Insurance for Youth

UK-based Tesco Bank has launched a new car insurance service that tracks and analyzes driver behavior to determine policy rates. Called Box Insurance, the company places technology in a customer’s vehicle and uses telematics data from the car, which is then sent to the insurer’s data center for analysis. The Association of British Insurers recently posted an advisory note warning that companies must be transparent about their data use, stating, “Consumers need to trust insurers to treat them fairly and protect their personal information.” Tesco has said it will “keep all your data, including driving data, safe and confidential,” adding that it won’t “share driving data with the police or other bodies without a court order or your consent, unless we suspect fraud.” [Information Age]


CA – Taxpayers Assured Protection When Lodging Complaints Against Taxman

Canada’s taxpayers’ ombudsman is offering help for people who fear there may be a backlash if they lodge a complaint against the revenue department. Ombudsman J. Paul Dube has made an addition to the Canadian Taxpayers Bill of Rights that says Canadians are entitled to lodge service complaints and request formal reviews without fear of reprisal from the CRA. Dube says the new right was created because some taxpayers fear exercising their rights when dealing with the CRA. [Source] SEE ALSO: [Two CRA employees violated privacy laws for years before being caught, reports show] and [ON: Watchdog slams McGuinty’s office over deleted emails]

US – Plans for Data-Sharing Steeped in Privacy Concerns

Virginia state plans to implement a data system aimed at improving student preparation for college and workforce. The talks have been steeped in privacy concerns surrounding student data, which school officials well understand based on recent news on the National Security Agency’s surveillance methods. “This is not the greatest time in government to be talking about the cool data we collect,” said a spokesman for the Virginia Education Department. “It’s right for parents to be concerned about privacy. We share that concern.” The system would allow agencies to share data to track student progress, helping officials to create policies around the most successful routes. [The Washington Post]

CA – New App Could Let Citizens Report Illegal Parking, Get Cut of Fine

A new app called SpotSquad could soon pay people to report parking infrastions to authorities. The concept is simple, says Chris Johnson, co-founder of the app: when someone sees a parking violation, they simply need to open up the app on their smartphone, upload a photo, choose the type of infraction and submit it – the photo is then sent to regional parking authorities who can dispatch a ticket warden. If the tip results in a fine, tipsters get a cut deposited into their bank accounts or donated to their favourite charities – as much as 10 or 20%, says Johnson. The group haven’t yet struck any deals but say they’re open to working with municipalities and private parking lot operators. A similar app already exists in the U.S. Texas-based Parking Mobility runs a program that allows trained volunteers to take photos of cars parked in disabled spots. Rewards are paid out to charities or parking offender rehabilitation programs. The program works because the organization has spent years negotiating agreements with police departments and cities. The group has also launched a pilot project in Vancouver but results have been disappointing. Unlike in the U.S., tipsters are prohibited from reporting on violations made on private property. The Canadian app, SpotSquad, could open up a legal minefield, according to a Winnipeg lawyer specializing in privacy and social media law. Public sector workers who do similar work are bound by privacy laws, lawyer Brian Bowman told CTV Winnipeg. That wouldn’t be the case with this app. “You are empowering citizens and paying them to arguably act as an agent for you,” he said. [Source]


US –Texas Governor Signs Strict eMail Privacy Bill

Texas Governor Rick Perry has signed House Bill 2268 into law. The measure requires that law enforcement obtain a warrant before snooping on email. The law takes effect immediately. The law makes Texas the first state to have a law that is more stringent that the federal Electronic Communications Privacy Act (ECPA), which requires a warrant only for unopened email that is less than 180 days old. [Source] [Source] SEE ALSO: [GEIST: Is the Government About to Can Its Own Anti-Spam Law?]

EU Developments

EU – France Gives Google 3 Months to Address User Data Privacy Concerns

French data privacy body, Commission Nationale de l’Informatique et des Libertes (CNIL), has given Google three months to implement changes to the way it collects and manages customer data. The commission found Google to be in violation of the French Data Protection Act. CNIL’s June 10 decision lists the changes it expects from Google, including explaining to users how the data they collect will be used, and not retaining data beyond the time necessary for the purpose for which they were collected. If Google does not comply with the order, the company could face sanctions. Google is facing enforcement action over privacy practices in several other EU countries, including Spain and Germany. [CNET] [The Register] [ComputerWorld] [Reuters]

EU – Albrecht: Reports Suggest NSA Intercepted Regulation Data

“If the actual revelations on these spying activities are true, then it is completely clear that there have been also interceptions with the activities of this regulation,” German Green MEP Jan Philip Albrecht said of the EU’s draft data protection regulation in response to this weekend’s reports on the U.S. National Security Agency (NSA) allegedly spying on EU activities. Lobbying efforts against the draft regulation by the U.S. government and U.S.-based companies, quoting Albrecht as saying, “Perhaps it’s time to re-discuss once more if we really want to completely exclude national security from the scope of the regulation.” A European Commission spokeswoman has called the weekend allegations “disturbing” and said the European External Action Service has asked Secretary of State John Kerry to respond. [EUObserver] SEE ALSO: [Ars Technica: Students Challenge Firms Over NSA Data Transfers]

EU – Rule Sets Out Data Breach Notification Expectations for Telecoms and ISPs

The European Union has issued new regulations describing the responsibilities of telecommunications companies and ISPs when they experience data breaches. The incidents must be reported to data protection authorities within 24 hours of their discovery. The companies must report the size and nature of the breach, what data were compromised, and what steps they have taken to address the issue with customers. Businesses and consumers will be told of the breach if it “is likely to adversely affect personal data or privacy.” That decision will be made by the national data protection authorities using a test to be provided by the European Commission. Notification of authorities has been required for several years, but the new regulation establishes specific details. Companies can be exempt from the requirements if they encrypt data. [PC World] [ZDNet]

EU – Search Engine Not Controller, EU Court Rules

The EU’s top court ruled that Internet search engines cannot be considered “the controller” of personal data hosted on other websites. EU Court of Justice Advocate General Niilo Jaeaeskinen said in a nonbinding opinion, “A national data protection authority cannot require an Internet search engine service provider to withdraw information from its index.” The case, C-131/12 , stems from approximately 200 orders from Spain’s Data Protection Authority for Google to remove personal data from indexed websites. A spokesman for Google said, “This is a good opinion for free expression…We’re glad to see it supports our long-held view that requiring search engines to suppress ‘legitimate and legal information’ would amount to censorship.” [Bloomberg]

EU – Court Backs Google in Privacy Case

Google must respect EU privacy law but is not obliged to delete sensitive information from its search index, an adviser to the highest EU court said, in a case that tests whether people can have harmful content erased from the Web. The adviser backed the internet search giant’s position that it cannot erase legal content from the internet even if it is harmful to an individual. But he rejected the view of many U.S. internet firms that they are not bound by EU privacy law. “Requesting search engine service providers to suppress legitimate and legal information that has entered the public domain would entail an interference with the freedom of expression,” the Luxembourg-based court said in a statement setting out Advocate General Niilo Jaaskinen’s opinion. While internet-based firms operating in the European Union must adhere to national data protection laws, that did not oblige them to remove personal content produced by third parties, the statement said. “Search engine service providers are not responsible, on the basis of the Data Protection Directive, for personal data appearing on web pages they process.” Lawyers agree that Google’s search algorithms, which hunt and list weblinks based on how relevant they may be, would not be in a position to “know” whether data was personal or not. A final judgment on the case is expected before the end of the year. [Source]

EU – Taking Photos in Private Settings to Be Illegal in Sweden

Sweden has taken the unusual step of making it illegal for take pictures in private environments without permission. The new privacy law takes effect July 1, and it carries with it some strict penalties, ranging from a fine to a jail term of up to  two years. That gives judges some ability to harshly punish someone taking secret video of people in changing rooms, while being more lenient on someone who took otherwise innocent photos in a person’s home. The new law would also make certain other acts illegal, such as installing a camera intended to take secret photos, even if no photos are actually taken. Critics say the law is a bit vague, as everyone’s definition of a private environment is different. A supermarket may be open to the public, but it’s privately owned. Exceptions are made in the law for journalists, though the Swedish Union of Journalists stands in opposition to it. “What’s unfortunate about this law that the parliament has approved is that a professional photographer doesn’t know when he raises the camera to take a picture if he is committing a criminal act or not,” explains board member Stephen Lindholm. “The risk is that pictures that should be taken aren’t because of fear of committing a crime.” [Source]

EU – Italian Garante Concerned About Government Measures

The president of Italy’s Data Protection Authority, the Garante, has voiced concerns about the Italian government’s recent measures aimed at simplifying the country’s data protection code. Garante President Antonello Soro’s concerns are that the government measures are “in breach of the EU Directive, Lisbon Treaty and Italian laws as well.” [Source]

Facts & Stats

WW – Firms Take 10 Hours to Spot Data Breaches, Mcafee Finds

The average organisation believes it would spot a data breach in 10 hours, a McAfee global survey of IT professionals has found. But is that result good, indifferent or an indication of the downright complacent? The firm’s interrogation of 500 decision makers from the US, UK, Germany and Australia earlier this year found that 22% thought they’d need a day to recognise a breach, with one in 20 offering a week as a likely timescale. Just over a third said they would notice data breaches in a matter of minutes, which counts as real-time by today’s standards. In terms of general security, three quarters confidently reckoned they could assess their security in real-time, with about the same number talking up their ability to spot insider threats, perimeter threats and even zero-day malware. All of this was despite 58% admitting they had suffered a data breach in the last year with only a quarter spotting that fact within minutes. When trying to locate the source of the breach – the most important aspect of any detection and remediation regime – a third said it took a day and 16% as long as a week. In McAfee’s view the general optimism buried in some of these numbers belies the probability that many organisations over-estimate both the speed at which they notice breaches and their ability to quickly trace their source. Third parties have backed them up on this, especially a survey from security vendor Trustwave that found that many data breaches take months to spot, with the average being 210 days; 14% take longer than two years. [Source]

MX – Study Highlights Data Breach Concerns

A Unisys study has found that 82% of Mexicans are “very concerned” about data breaches. The study showed that of the survey’s 1,052 respondents, most are concerned about breaches at banks and financial institutions followed by those at healthcare organizations, government agencies and telcos and Internet service providers. “Anxiety related to data breaches in Mexico seems pervasive and continues to persist despite efforts by governments and commercial organizations to secure consumers’ financial data,” the report states. However, the survey also found low reporting for cybercrime. [BNamericas]


CH – Swiss Court Stops Handover of Credit Suisse Employee’s Data to U.S.

A Swiss court has ordered an injunction halting the transfer of a former Credit Suisse employee’s data to U.S. tax authorities. The ruling highlights Switzerland’s difficulties in balancing traditions of personal privacy against U.S. demands for data from roughly a dozen Swiss banks under formal investigation by U.S. prosecutors. Those banks, including Zurich-based Credit Suisse, have been handing over information on their U.S. dealings for months now, part of efforts to avoid indictment and minimise fines for their role in helping wealthy While these banks have clinched special Swiss government permission to deliver business data – but no client files – parliament failed last week to back a draft law covering the wider Swiss banking industry. While the court ruling is for one person’s data, “it will set a precedent and could be repeated for other employees who had access to U.S. clients.”.[Source] SEE ALSO: [Payment Privacy: Are Untraceable Purchases Ever Okay?] and [Bank’s new cybersecurity audits catch law firms flat-footed]


US – FISA Court Says Google and Microsoft May Disclose Procedural Information

The US Foreign Intelligence Surveillance Court has granted Microsoft and Google the right to disclose “procedural information” related to their legal challenges of gag orders that accompany national security requests. These orders prohibit the companies from disclosing details about the data they provide to the government. The companies want to clear their names of allegations that they gave the NSA unfettered access to their servers. Both companies say they provide data only when they receive a legal request supported by a court order. [The Register] [Politico] [CNET] [Source] [Source] [Source]

WW – Google Adds Malware Statistics to Transparency Report

Google will be adding statistics about malware to its transparency report. Google’s transparency report currently documents criminal requests and national security requests from governments worldwide, though it does not include requests from the federal government’s FISA regarding Google’s foreign users. Since that court made headlines this month, Google and other tech companies have been trying to contain the public relations crisis that has resulted from revelations that they have been aiding government surveillance efforts when ordered to by the court. Google has since filed a legal motion asking the government to relax its gag order and allow the company to disclose the number of FISA requests it receives. At the same time, Google said it would also be expanding its transparency report to include new numbers around malware and phishing attacks on the Internet. In 2006, Google started searching for, and flagging, suspect Web sites for its users. It is now flagging some 10,000 sites a day. The company said its transparency report would now document how many people see its security warnings each week, where malicious sites were hosted around the world (and by which ISPs), how long it took for Web masters to clean up their sites, and how quickly Web sites got re-infected after they were scrubbed of malware. As an example, during the first week of June, Google detected 37,000 legitimate sites that had been compromised to host malware and 4,000 sites that were created specifically to host malware. Earlier this year, it took websites an average of 50 days to clear themselves of reported malware. Google has been working on gathering relevant statistics for the last six months and that Google would begin updating its transparency report weekly. [The New York Times] [DarkReading] [eWeek] [CNET] [Ars Technica] [h-online] [SC Magazine] [] SEE ALSO: [Peter Fleischer: Mirror, mirror on the wall, who is the ugliest one of them all?]


US – Experts Propose Consolidating DNA Databases

This month an international group of nearly 80 researchers, patient advocates, universities and organizations like the National Institutes of Health announced that it wants to consolidate the world’s databases of DNA and other genetic information, making data easier for researchers to retrieve and share. But the security and privacy of the study subjects are paramount concerns, said Dr. David Altshuler of the Broad Institute of Harvard and M.I.T., a leader of the group. “The problems are not yet solved in any general way,” Dr. Altshuler said. “We want to work to solve them.” For years now, a steady stream of research has eroded scientists’ faith that DNA can be held anonymously. [New York Times]

Health / Medical

WW – Health Group Releases mHealth Study; Privacy in HTML5 Era

A new study by a mobile health advocacy group states there is not a “one-size-fits-all” resolution for mobile privacy legislation. The mHealth Alliance report, Patient Privacy in a Mobile World: A Framework To Address Privacy Law Issues in Mobile Health , also has provided a mobile privacy toolkit for using mobile health technology. The evolving nature of mobile technology “makes it difficult, and some may say ill-advised, to create rigid legal rules that may not fit future mHeath applications or worse that may hamper their development in the first place,” the study states. Meanwhile, CIO reports on how to ensure privacy in the age of HTML5. [Thomson Reuters]

CA – B.C. Health Ministry Told to Strengthen Privacy Practices

Elizabeth Denham ruled that there was a “lack of clear responsibility for privacy within the ministry” at the time of the breaches. She believed this was due, in part, to a lack of clear leadership and clarity of roles. “Ministry privacy governance was further weakened by a complete lack of audit and review of employee and contractor functions relating to privacy,” she wrote. “There were no mechanisms to ensure that researchers were complying with the privacy requirements, as stipulated in contracts and written agreements, and to ensure ministry employees were taking appropriate privacy training and following privacy policies. As a result, ministry employees were able to download large amounts of personal health data on to unencrypted flash drives and share it with unauthorized persons, undetected.” Ms. Denham concluded her report with 11 recommendations, including that the ministry implement technical security measures to prevent unauthorized information transfer; create a program to monitor and audit compliance by employees and contracted researchers; and ensure employees with access to such databases participate in mandatory privacy training. The ministry has accepted and will be implementing all of Ms. Denham’s recommendations, newly appointed Health Minister Terry Lake said. [Source] SEE ALSO: [Doctors experiment with social media and apps] NS [US: Ingestible smart pills are a hard act to swallow] and [UK: Health watchdog destroyed report in maternity hospital to spare its own blushes]

WW – For Sale: Ingestible Computers to Monitor Your Health

A new wave of prescription pills can e-mail your doctor after being swallowed. Ingestible computers in pill-form can now monitor health data and share it wirelessly with doctors. The pills stay intact throughout the intestinal tract and are powered through stomach acids. The Electronic Frontier Foundation says such a pill has wonderful and terrible aspects. “The wonderful is that there are a great number of things you want to know about yourself on a continual basis…The terrible is that health insurance companies could know about the inner workings of your body.” [The New York Times]

Horror Stories

US – AG Report Reveals Breaches Affect 2.5 Million in 2012

According to a first-of-its-kind report released by California Attorney General Kamala Harris, 2.5 million Californians had personal information put at risk because of electronic data breaches in 2012. Had companies encrypted data when sending it outside of a network, 1.4 million Californians would have been protected. Retail establishments were the worst offenders. Noting the dangers inherent to individuals’ privacy, finances and even personal security, Harris said companies and government agencies “must do more to protect people by protecting data.” [Source]

WW – Facebook Says Technical Flaw Exposed 6 Million Users

Facebook has inadvertently exposed six million users’ phone numbers and e-mail addresses to unauthorized viewers over the last year, the company said. Facebook blamed the data leaks, which began in 2012, on a technical flaw in its huge archive of contact information collected from its 1.1 billion users worldwide. As a result of the problem, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have. Facebook’s security team was alerted to the problem last week and fixed it within 24 hours. But Facebook did not publicly acknowledge the flaw until the next week, when it published a message on its blog explaining the situation. A Facebook spokesman said the delay was because of a company procedure stipulating that regulators and affected users be notified before making a public announcement. [The New York Times] SEE ALSO: [Facebook’s White Hat Program Helped Uncover Glitch]

CA – BC Lab Loses Personal Info of 16,000 Patients

About 16,000 patients in Kamloops who used LifeLabs’ medical-lab service in the last six years are being warned their personal information may have been compromised. LifeLabs president Sue Paish says a computer was sent to their main office in Burnaby for servicing, and when it was returned the hard drive was missing. The hard drive held the results of ECGs, or electrocardiograms, and was removed sometime last January. Paish issued an apology for the incident and added the information is password protected and requires special equipment to read. Health Minister Terry Lake learned of the breach last week and wonders why it took so long to notify both the government and the privacy commissioner. Lake says he’s been assured by LifeLabs that it won’t happen again. [Source]  Meanwhile, in other news: the personal data of 47,000 Florida teachers was exposed during a data transfer at Florida State University. The personal information was available online for approximately 14 days, according to the state’s Department of Education; Blizzard Entertainment has asked a California federal judge to dismiss a multi-million dollar class-action filed after a data breach, stating the plaintiffs have not alleged “actual harm.” And Seattle: Detective’s stolen laptop puts thousands at risk of identity theft.

US – Carnegie Mellon Publishes Empirical Analysis of Data Breach Litigation

Forbes reports on what organizations can do if they are the unlucky victims of a high-profile data breach. “At a minimum,” the article states, “start providing credit monitoring for victims to reduce litigation risk.” That’s according to researchers at Carnegie Mellon University and Temple University who found a six-fold reduction of being sued in federal court for those who provide credit monitoring. The paper, “Empirical Analysis of Data Breach Litigation ,” also found a 10-fold increase in litigation if the incident was a cyberattack rather than lost or improperly disclosed data. [Source]

Identity Issues

US – Brill Calls for “Reclaim Your Name” Program

Federal Trade Commissioner Julie Brill has called on Congress to legislate a “Reclaim Your Name” program. Suggesting that Big Data brokers are “taking advantage of us without our permission,” the program Brill has called for would establish technical controls allowing users to access the information data controllers have stored about them, then control it and correct it, the report states. The program could work in tandem with the still-being-negotiated Do-Not-Track (DNT) mechanism, Brill said, adding that she urges “the W3C stakeholders to forge ahead and reach consensus” on DNT. The Direct Marketing Association expressed surprise at Brill’s announcement, noting it has been in talks with her recently on increasing transparency. [AdAge] [Text of Speech to CFP] SEE ALSO: [Forbes: Acxiom Access Feature Delayed But Imminent]

CA – Wearing a Mask at a Riot Is Now a Crime

A bill that bans the wearing of masks during a riot or unlawful assembly and carries a maximum 10-year prison sentence with a conviction of the offence became law. Bill C-309, a private member’s bill introduced by Conservative MP Blake Richards in 2011, passed third reading in the Senate on May 23 and was proclaimed law during a royal assent ceremony in the Senate. Richards, MP for Wild Rose, Alta., said the bill is meant to give police an added tool to prevent lawful protests from becoming violent riots, and that it will help police identify people who engage in vandalism or other illegal acts. The bill is something that police, municipal authorities and businesses hit hard by riots in Toronto, Vancouver, Montreal and other cities in recent years, were asking for, according to Richards. The bill creates a new Criminal Code offence that makes it illegal to wear a mask or otherwise conceal your identity during a riot or unlawful assembly. Exceptions can be made if someone can prove they have a “lawful excuse” for covering their face such as religious or medical reasons. The bill originally proposed a penalty of up to five years, but the House of Commons justice committee amended it and doubled the penalty to up to 10 years in prison for committing the offence. Civil liberties advocates argued the measures could create a chilling effect on free speech and that peaceful protesters can unintentionally find themselves involved in an unlawful assembly. They also noted that there are legitimate reasons for wearing masks at protests; some may be worried about reprisals at work, for example, if sighted at a political protest. [Source]

WW – Yahoo Plans to Recycle Dormant User IDs

Yahoo plans to recycle Yahoo user IDs that have been inactive for a year or more. The company is aware of concerns about the old IDs falling into hands of people with malicious intents, but says it is going to “extraordinary lengths to ensure that nothing bad happens to our users.” One concern that has been voiced is that is someone acquiring a Yahoo ID that is linked with someone’s Gmail account could request a password reset for the Gmail account and take control of it. The same thing could potentially be done with social media and financial accounts. Yahoo released a statement noting that “any personal data and private content associated with these accounts will be deleted and will not be accessible to the account holder.” [CNET] [WIRED] SEE [“Own the email, own the person“]

Intellectual Property

US – $675,000 Filesharing Verdict Upheld

The US Court of Appeals for the First Circuit has ruled that a US$675,000 verdict against Joel Tenenbaum for filesharing is justified. In the ruling, the court wrote that although Sony was suing him for just 30 songs, Tenenbaum appears to have made many more songs than that available for sharing. In addition, “During discovery, Tenenbaum lied about his activities. Only at trial did [he] admit that he had distributed as many as five thousand songs.” [Ars Technica] [Document Cloud]

US – US Seized 1,700 Domains Over Three Years in Anti-Piracy Operation

“Operation In Our Sites,” an ongoing effort by US authorities to thwart intellectual property fraud, has seized more than 1,700 websites in the past three years. The offending sites offered illegally streamed sporting events; sold bogus apparel, accessories and counterfeit drugs; and allowed illegal downloads of music and movies. US authorities were
able to seize the sites because the domains – .net, .com, and .org – are controlled by US entities. [WIRED]

US – Pandora Says Music Streams Not Covered By Privacy Law

Pandora is asking the Ninth Circuit Court of Appeals to uphold a decision by a U.S. District Court that the company did not violate a Michigan privacy law by allegedly sharing web users’ music-listening history with their Facebook friends. U.S. District Court Judge Saundra Brown Armstrong dismissed a potential class-action lawsuit that Pandora violated Michigan’s Video Rental Privacy Act by participating in Facebook’s “instant personalization” program. Armstrong ruled the act doesn’t apply when companies “stream” tracks, as opposed to lending, renting or selling them, the report states. The suit’s plaintiff wants his claim revived, but Pandora says Armstrong was correct in her ruling. [MediaPost News]

Law Enforcement

US – FBI Confirms Drone Use, Says It’s Limited

FBI Director Robert Mueller testified to the U.S. Senate that the Federal Bureau of Investigation (FBI) sometimes uses drones for surveillance efforts. “It’s very seldom used and generally used in a particular incident when you need the capability,” Mueller said. “It’s very narrowly focused on particularized cases and particularized needs.” The testimony follows concerns by lawmakers and civil liberties advocates as revelations emerge on the government’s interception of U.S. citizens’ communications via its PRISM program. But the debate on drones has been ongoing. Mueller said the FBI is beginning to formulate privacy guidelines on the technology. [Bloomberg] [Drones Are Easy To Acquire, Lack Regulation]

US – Blood, Spit and Cops: Nationwide Drug Roadblocks Raise Eyebrows

The roadblocks went up at several points in two Alabama towns, about 40 miles on either side of Birmingham. For the next two days, off-duty sheriff’s deputies in St. Clair County, to the east, and Bibb County, to the southwest, flagged down motorists and steered them toward federal highway safety researchers. The researchers asked them a few questions about drinking and drug use and asked them for breath, saliva and blood samples — offering them $10 for saliva and $50 to give blood. It’s not just in Alabama. The roadblocks are part of a national study led by the National Highway Traffic Safety Administration, which is trying to determine how many drivers are on the road with drugs or alcohol in their systems. Similar roadblocks will be erected in dozens of communities across the nation this year, according to the agency. It’s been going on for decades. Previous surveys date to the 1970s. The last one was run in 2007, and it included the collection of blood and saliva samples without apparent controversy, sheriff’s spokesmen in both Alabama counties said. But this time, it’s happening as the Obama administration struggles to explain revelations that U.S. spy organizations have been tracking phone and Internet traffic. Against that backdrop, the NHTSA-backed roadblocks have led to complaints in Alabama about an intrusive federal government. Susan Watson, executive director of the Alabama chapter of the ACLU, called the use of deputies to conduct the survey an “abuse of power.” Even though the survey is voluntary, people still feel they need to comply when asked by a police officer, she said. “How voluntary is it when you have a police officer in uniform flagging you down?” Watson asked. “Are you going to stop? Yes, you’re going to stop.” The agency said the 8,000 drivers expected to take part will do so voluntarily and anonymously, and researchers follow “a highly scientific protocol and complex statistical design in order to accurately reflect the problem nationwide.” [Source]


CH – China’s First-Ever National Standard on Data Privacy

The Information Security Technology-Guide for Personal Information Protection within Public and Commercial Systems (“Guidelines”), China’s first-ever national standard for personal data privacy protection, came into effect on February 1, 2013. The Guidelines, while not legally binding, are just what they purport to be – guidelines – some commentators view these as technical guidelines. However, the Guidelines should not be taken lightly as this may be a pre-cursor of new legislation ahead. China is not quite ready to issue new binding legislation, but there are indications it seeks to develop consistency with other internationally accepted practices, especially following recent data legislation enacted in the region by neighboring Hong Kong and other Asian countries. [Mondaq News]

SK – Presidential Office Hacked

A hacking attack on the presidential office has resulted in the leak of 100,000 individuals’ personal information. The information includes names, birth dates, ID numbers and both online and offline addresses, the report states. Users’ registration
numbers—similar to Social Security numbers—were not affected because they were encrypted. The presidential office has issued an apology and is offering compensation to those affected. [ZDNet]

Online Privacy

EU – Working Group: Default Should Be No Tracking

The EU’s International Working Group on Data Protection has released a whitepaper on online behavioral advertising, reports the Electronic Privacy Information Center. The working group says in its release that World Wide Web Consortium efforts to create a Do-Not-Track mechanism could serve as a “sugar pill instead of a proper cure and would such be useless.” The working group recommends that the default setting be that users are not tracked. [Paper] SEE ALSO: [Forbes: The Web Cookie Is Dying. Here’s The Creepier Technology That Comes Next]

WW – W3C Moves Forward on June Draft; Group Launches Privacy Controls

ZDNet reports on two developments in the Do-Not-Track initiative. First, those participating in a World Wide Web Consortium conference call agreed to accept a draft of the standard in an effort to work toward “Last Call,” when the proposal is brought for a vote. The draft is being dubbed the June Draft. Also, Mozilla has teamed up with Stanford’s Center for Internet Society to announce it is launching its own set of privacy controls on the web. Called a “Cookie Clearinghouse,” it will allow users to create and maintain “allow lists” and “block lists,” the report states. [Source]

WW – IAB Disapproves of Cookie Clearinghouse

Mozilla’s involvement with The Center for Internet and Society at Stanford Law School in an effort to improve Internet privacy is a “Kangaroo cookie court” according to the Interactive Advertising Bureau (IAB). The IAB disapproves of the ongoing project called the “Cookie Clearinghouse,” a control system that allows users to maintain a “block” and “allow” list when it comes to cookies. But the IAB says the system “replaces the principle of consumer choice with a ‘Mozilla knows best’ system.” Mozilla said it hopes the IAB and other industry groups will get involved in the project to better the user experience [CNET].

WW – Creepy Facebook Apps Mine Your Profile for Bikini Shots, Break-Up Status

Facebook isn’t to blame. More and more apps built to take advantage of the Facebook social network’s very social tools are hopping the fence from useful and crossing over into downright creepy territory. I looked at several of these apps, which handle tasks such as searching for photos of your friends in their bikinis to notifying you about people who are newly single, to see just how disturbing they are. Some worked more or less as advertised. Others failed miserably, which is good news, as some of the very concepts made my skin crawl. [Source] SEE ALSO: [New York Times: Data You Can Believe In: The Obama Campaign’s Digital Masterminds Cash In]

Other Jurisdictions

IN – CCTV Not Covered in Draft Law

Those whose images are captured via CCTV in public places “will not be able to invoke the proposed privacy law to seek redress.” That is one provision of the draft privacy bill “likely to be tabled in Parliament’s forthcoming session,” the report states, noting the bill does include the creation of a national body to hold individuals, organizations and others accountable for audio and video recording. The bill “addresses the home ministry’s concern that interception laws must not change and that footage from security cameras in public places are kept out of the ambit of the new law,” officials said. [The Indian Express

AU – Breach Notification Laws Fail to Pass Before Break

The Australian Senate has failed to pass mandatory data breach notification reform laws, which were expected to go into effect by March of next year. The Senate has now taken its break until the next election. The proposed law was described by the Australian Law Reform Commission in 2008 as a “long-overdue measure,” Business Spectator reports. The Senate did pass laws last week requiring commonwealth public officials to report suspected wrongdoing, reports The Register. Meanwhile, a new report says that many Australian data-driven firms are using consumer data to support existing beliefs rather than “achieve fresh insights.” [Business Spectator] [AUS: Banks slam new privacy proposal] see also: [NZ: Govt chief information officer role to be expanded]

Privacy (US)

US – NSA Outlines Steps to Reduce Leaks

To prevent Edward Snowden-type leaks, the National Security Agency is considering a number of measures, including reducing the number of systems administrators it employs, NSA Director Keith Alexander says. The agency also is considering requiring individuals with top-secret security clearance to be partnered to access certain classified documents. Testifying on June 18 before the House Select Permanent Committee on Intelligence, Alexander said the NSA employs at least 1,000 systems administrators with security clearances, most of whom are on the payrolls of government contractors. “About 12 to 13 years ago, as we tried to downsize our government workforce, we pushed more of our information technology workforce, our systems administrators, to the contract arena,” Alexander said. “That’s consistent across the intelligence community.” [Source] [ZDNet] [ComputerWorld] [WIRED] [Privacy groups skeptical of plan to limit NSA’s data access]

US – Former NSA Official Says Anti-Leak Technology Not Deployed

A former NSA cybersecurity official said that when he left the agency in the summer of 2012, there was no anti-leak technology on NSA networks. After Bradley Manning’s alleged data theft came to light, the US Department of Defense rolled out a Host Based Security System (HBSS) to detect unauthorized activity on DOD networks. One of the system’s features is to monitor removable data devices, like those allegedly used by Bradley and more recently by Edward Snowden. The official said that the HBSS was not installed on NSA networks as of last summer. He also commented on NSA Director General Keith Alexander’s plan to have the NSA use a two-person rule for data access, saying that it could prove too cumbersome for specialists who need to do fast-paced work, and noted that “the best safeguard would be locking down the content at the source.” [NextGov]

US – Senators Say NSA Inaccurate on Protections

Two senators on the intelligence committee have accused the National Security Agency (NSA) of publicly presenting inaccurate statements about the privacy protections on its surveillance of millions of Internet communications. However, Sens. Ron Wyden (D-OR) and Mark Udall (D-CO) say they cannot identify the inaccuracies within a factsheet without exposing classified information. In a letter written to NSA Director Gen. Keith Alexander, the senators wrote they were “disappointed to see that this factsheet contains an inaccurate statement about how the section 702 authority has been interpreted by the U.S. government…this inaccuracy is significant, as it portrays protections for Americans’ privacy as being significantly stronger than they actually are.” [The Guardian]

US – Former U.S. Rep. Bono Joins Leibowitz to Co-Chair New Privacy Coalition

A group of the nation’s largest telecommunications companies have founded the 21st Century Privacy Coalition. The coalition will be co-chaired by former Federal Trade Commission Chairman Jon Leibowitz and former U.S. Rep. Mary Bono. Founding members include AT&T, Comcast, CTIA-The Wireless Association, Directv, Time Warner Cable, Verizon and the U.S. Telecom Association. In an exclusive interview with the IAPP, Bono said the coalition has nothing to do with the recent NSA revelations and has in fact been in the works for some time, dating back to when she was still serving as chairwoman for the Subcommittee of Commerce, Manufacturing and Trade. “It was clear there was a need,” she said. [Adweek]

US – New COPPA Rules Take Effect Today; Marketers May Not Be Ready

Jeff John Roberts discusses what COPPA’s new rules mean for marketers. The revised law comes into effect today and can impose penalties of up to $16,000 per violation. Many app developers may not be prepared for the rules, which require parental consent before collecting basic data on children. Fast Company predicts three outcomes following today’s implementation of the law: The privacy business–including Safe Harbor programs and privacy lawyers–will boom; sites will neglect to ask users’ age, and/or a “chilling effect” will take place on the development of educational apps and games. [GigaOm]

US – Advocates: Facebook Settlement Not Enough

At a recent hearing, children’s advocates worked to convince U.S. District Judge Richard Seeborg that last year’s proposed settlement of a case surrounding Facebook’s Sponsored Stories doesn’t do enough to protect children’s information. The Children’s Advocacy Institute argued that minors’ content should be off limits to advertisers, but Seeborg—without indicating how he would rule—noted that his function “is not to craft the perfect policy for minors” but only to say whether the settlement is fair. Seeborg gave initial approval of the settlement last year, but it still needs his final sign-off. [Reuters]

US – FTC, Ireland DPA Sign Enforcement Assistance Memorandum

FTC Chairwoman Edith Ramirez and Ireland Data Protection Commissioner Billy Hawkes have signed a memorandum of understanding (MOU) to “promote increased understanding and communication” between both agencies, an FTC press release states. Ramirez said the MOU “is a step forward for the FTC in cross-border privacy enforcement.” Hawkes said he “very much welcomes this important development, which I believe will have valuable assistance to my office…” [The Privacy Advisor]

US – FBI Scanning Driver’s License Images

The FBI has gained access to driver’s license photos for residents of Nebraska, Illinois, South Carolina, Utah, North Carolina, Delaware, Texas and other states to hunt for suspects in criminal investigations. In memorandums obtained through a Freedom of Information Act request by the Electronic Privacy Information Center, the FBI is authorized to search state databases, which include images and personal information. “The anticipated result of that search will be a photo gallery of potential matches. These potential matches (candidates) will be forwarded to the FBI, along with any associated information stored with the photo.” The agreements between the state motor vehicle divisions and the FBI allow the FBI to use facial recognition systems to compare subjects of investigations to the millions of license and identification photos retained by states. EPIC’s letter explained: “The increasing expansion of facial recognition technology carries with it a number of privacy and security concerns. Facial recognition data is personally identifiable information and improper collection, storage, and use of this information can result in identity theft or inaccurate identifications. “Additionally, an individual’s ability to control access to his or her identity, including determining when to reveal it, is an essential aspect of personal security that facial recognition technology erodes. Finally, ubiquitous and near-effortless identification eliminates individuals’ ability to control their identities, posing special risk to protesters engaging in lawful, anonymous speech. The U.S. Supreme Court has repeatedly upheld the right to engage in political speech anonymously.” [Source] [Police Using Driver’s License Photo Databases in Criminal Investigations]

US – Privacy Committee Hearings on Driver’s License Applicants

A Missouri House committee formed to investigate the Department of Revenue’s scanning of driver’s license applicants’ documents has begun two days of hearings into the controversy. The first witness to testify before the House Bipartisan Investigative Committee on Privacy Protection was Jackie Bemboom, head of the Department of Revenue’s Motor Vehicle and Driver’s License division. She testified under oath that they are not trying to comply with the federal Real I-D Act of 2005, but that several of their procedures coincide with Real I-D. “Real I-D asks for the photo to be on the license,” Bemboom saisd. “Real I-D asks for a database, and we’ve been doing a database since 1939.” But committee member and Osage County Sheriff Michael Dixon said Revenue officials have complied with 34 out of 39 items, giving the impression that the department is trying to comply with Real I-D. Bemboom maintains that the scanning and storing of source documents is being done to combat fraud. The chair of the committee, Republican House Member Stanley Cox of Sedalia, said several officials from Governor Nixon’s office were set to appear Wednesday, but have since canceled. [Source]

US – Privacy Groups Push Back Against License Plate Database

The massive storage of license plate and vehicle data by law enforcement agencies across Southern California is sparking a debate over the privacy rights of citizens in their cars. Through interagency agreements among the Los Angeles and San Bernardino county sheriff’s departments and more than 30 police departments, cameras called Automated License Plate Readers — mounted to police cruisers or in fixed locations — capture the data on millions of cars across the region. License plate numbers and a vehicle location history are then automatically fed into and permanently stored on one of three databases. On average, a cruiser equipped with an ALPR camera can collect data on 10,000 cars in a single shift, according to industry reports. A lawsuit filed by two privacy rights groups says each of the 7 million registered cars in greater Los Angeles has had its license plate scanned an average of 22 times since the program launched. The curation of so much information on personal vehicles has raised the ire of privacy groups, which are beginning to push back against the data mining efforts of Los Angeles County’s two largest law enforcement agencies. [Source] SEE ALSO: [E-License Plate: Wave of the Future or Menace?]

US – Supreme Court Bars Lawyers From Accessing Drivers’ Database

The U.S. Supreme Court has ruled that lawyers cannot gather personal information about drivers from state databases when seeking plaintiffs for potential lawsuits. The court held in a narrow 5-4 vote that the federal Drivers Privacy Protection Act of 1994 does not allow lawyers to seek the information. The case hinged on language in the law that allows access to the data for lawyers pursuing an “investigation in anticipation of litigation.” A group of drivers sued lawyers who had sought the personal information from the South Carolina Department of Motor Vehicles. The lawyers were seeking to file a lawsuit on behalf of customers against car dealerships over alleged unlawful administrative fees. In the majority opinion, Justice Anthony Kennedy said that “an attorney’s solicitation of clients” did not fit into the section of the law that refers to litigation. What the law protected, he added, was the right of lawyers to seek information in ongoing cases in which they already represent someone. The case is Maracich, et al v. Spears, et al, U.S. Supreme Court, No. 12-25. [Source]

US – PCLOB Public Workshop on Surveillance to be Held

Following the Privacy and Civil Liberties Oversight Board (PCLOB) meeting with President Barack Obama last week, the PCLOB has set a public meeting for July 9 to discuss the National Security Agency (NSA) surveillance programs. The PCLOB “will conduct a public workshop with invited experts, academics and advocacy organizations regarding surveillance programs operated pursuant to Section 215 of the USA PATRIOT Act and Section 702 of Foreign Intelligence Surveillance Act,” according to the workshop notice. The meeting will be held in Washington, DC, but the specific location has not yet been announced. [Politico] SEE ALSO: [SWIRE: Why the New Senator Markey May Be the Most Influential Privacy Congressman in History]

US – Video Game Industry Releases Guidelines for Mobile, COPPA

The group that manages privacy self-regulation for the video game industry, the Entertainment Software Rating Board (ESRB), has increased its program to include mobile apps and the upcoming changes to the Children’s Online Privacy Protection Act (COPPA). With COPPA changes to go into effect July 1, the group focused on ways of obtaining parental consent, creating short-form privacy notices for apps and dealing with the expanded definition of personal data to include photos and videos, the report states. Dona Fraser, vice president of the ESRB Privacy Certified program, said “achieving compliance with requirements like COPPA can be complicated, particularly for rapidly evolving platforms like mobile.” The ESRB is also in the process of issuing certifications to its members and awaits Safe Harbor status from the FTC. [AdWeek]

US – The Use of Predictive Policing, Campaigning

New predictive policing programs are being used in Seattle, WA. Using a combination of Google Maps, license-plate readers and computer algorithms, police are able to crunch data to predict where crimes are most likely to occur. Some worry about privacy and civil liberties issues. Meanwhile, Big Data analytics is also being used to better understand and reach out to potential political supporters. Calling it the “new electioneering,” the Times reports on one company that mines online data—particularly social media—and publicly available information to “quantify and measure voter emotion and opinion online.” [New York Times]

US – Database Prompts Call for Monitoring

Louisiana’s Board of Elementary and Secondary Education is appointing a task force to monitor data-sharing in the wake of the Department of Education’s partnership with inBloom, a database created to track student progress. Citing parent and student concerns about the potential for others to access private student data, the report quotes Education Superintendent John White’s comments that the department data will not be sold to outside companies and will be secured behind firewalls. “We’re not suggesting this is a perfect process,” he said. “But we hope we can get to a point where the public understands and trusts that this is being done the right way.” [The Times-Picayune]

US – Ramirez Taps Privacy Expert to Head Bureau of Consumer Protection

The FTC announced Chairwoman Edith Ramirez’s appointment of seven senior staff members, including Jessica Rich, a privacy expert who will now serve as director of the Bureau of Consumer Protection. Rich says that privacy is an area in which the FTC believes consumer protection is very important, and that, in line with Chairwoman Edith Remirez’s emphasis that the agency plans to be aggressive on privacy, the commission will use the tools in its belt to “the fullest extent possible” to protect consumers, including Section 5 of the FTC Act, the Fair Credit Reporting Act and COPPA. [Press Release]

US – Wong Named White House’s Deputy CTO

The Obama administration has announced its hire of Nicole Wong, who most recently worked for Twitter, as the White House’s deputy U.S. chief technology officer. Wong has also served as vice president and deputy general counsel of Google. “She has tremendous expertise in these domains and an unrivaled reputation for fairness, and we look forward to having her on our team,” said Rick Weiss, director of strategic communications at the Office of Science and Technology Policy. [The Recorder]

Privacy Enhancing Technologies (PETs)

WW – Firefox Web Browser to Move Ahead With ‘Do Not Track’ Option

The maker of the popular Firefox browser is moving ahead with plans to block the most common forms of Internet tracking, allowing hundreds of millions of users to eventually limit who watches their movements across the Web, company officials said. Firefox made the decision despite intense resistance from advertising groups, which have argued that tracking is essential to delivering well-targeted, lucrative ads that pay for many popular Internet services. When Firefox’s maker, Mozilla, first suggested in February that it might limit blocking, one advertising executive called it “a nuclear first strike” against the industry. To help navigate the complexities of when to allow tracking, Mozilla has teamed up with Stanford University’s Center for Internet and Society to create a “Cookie Clearinghouse,” which will advise the company on how to tweak its settings to protect users. Makers of the Opera Web browser have also joined the Stanford-led initiative. [Source]

WW – Using Virtual Assistants to Guide Privacy Settings

To help navigate convoluted and complex privacy settings on commonly used websites, CNET News columnist Dan Farber proposes that virtual assistants, such as Siri and Google Now, can be effective tools to give users more control of their settings. Virtual assistant apps could also help educate users on how their data is being collected, processed and shared. “Instead of reading pages of text,” Farber suggests, “users could query a virtual assistant, which could walk them through their privacy settings.” As virtual assistants “gain more popularity, managing privacy and protecting your online persona will be more of a continuous, background process handled by an intelligent agent rather than a sometimes impenetrable chore.” [CNET] [How UI and UX Can KO Privacy]


WW – Organizations are Not Doing Enough to Defend Against Cybercrime

According to the 2013 State of Cybercrime Survey from PwC, “Organizations are misjudging the severity of risks they face from a financial, reputational, and regulatory perspective.” Current defenses against cyberattacks are not effective because executives either do not understand the scope and import of the threats, or they have stopped paying attention. Many leaders are unaware of who in their organizations is responsible for cybersecurity. They also “underestimate the capabilities of their attackers and the damage they can cause.” The leaders also appear not to understand that, while using smart cloud services and other technological advances may help productivity, they introduce their own vulnerabilities. [CSO Online] [PWC Press Release]

US – CERT Issues Default Password Alert

The US Computer Emergency Response Team (US-CERT) has issued an alert warning that “it is imperative to change default manufacturer passwords and restrict network access to critical and important systems.” The alert notes that “critical infrastructure and other important embedded systems, appliances, and devices are of particular concern.” [Dark Reading] [US CERT]


US – Another NSA Revelation: Stellar Wind

The Guardian continues to publish news of secret, warrantless surveillance programs undertaken by the NSA. This week, the paper has news of an operation called Stellar Wind, which ran from 2001 through 2011, collecting “the accounts to which Americans sent e-mails and from which they received e-mails. It also details the Internet protocol addresses used by people inside the United States when sending e-mails–information which can reflect their physical location. It did not include the content of e-mails.” All “communications with at least one communicant outside the United States or for which no communicant was known to be a citizen of the United States” were fair game, approved by the FISA court every 90 days for a decade. [Source]

US – Senators Want “Public Answers” About Scope of NSA Surveillance

US legislators are calling for “public answers” regarding the scope of the National Security Agency’s (NSA’s) surveillance of people in the US. In their letter to Director of National Intelligence James R. Clapper, the group of 26 senators asks if the NSA collected personal information, such as credit card purchases, library records, and firearms sales, in addition to phone records. The senators also ask if the collected data include cell-site location data. [ComputerWorld] [Washington Post] [Text of Letter]

US – Revising What We Know About PRISM

Initial reports about the NSA’s PRISM surveillance program appear to have gotten the technical details of the program wrong. The stories reported that nine major US Internet companies knowingly allowed NSA access to information on their servers. While the information leak discloses the scope of the NSA’s surveillance, the PRISM system described in a leaked PowerPoint presentation apparently helps automate the FBI and NSA requests for data; it does not allow those agencies unfettered access to the servers. PRISM is part of a much larger NSA data-grab, which has been known about for years, in which data are siphoned from the fiber optic cables through which they travel along the Internet’s backbone. Traffic data are gathered as the traffic leaves and enters the US, and are routed to the NSA for analysis. [Source] [Source]

CA – Eavesdropping Agency’s Data Banks Go Unlisted despite Legal Obligation

The Defence Department appears to have broken the law by failing to publish the latest personal information listings of Canada’s electronic eavesdropping agency. Under federal privacy law, ministers are obliged to list the personal data banks — which hold information about individuals — compiled by agencies in their portfolios. However, there is no public listing this year for Communications Security Establishment Canada, known as CSEC, which reports to the defence minister. The omission has prompted University of Ottawa professor Amir Attaran to lodge a complaint with the federal privacy commissioner, who polices the federal law governing personal information. It’s important for CSEC “to be honest about what data it is gathering,” said Attaran, a lawyer who has taken a keen interest in Canadian information law. The personal data bank issue arises amid concerns about the sort of personal information CSEC and its close American ally, the National Security Agency, are collecting. CSEC spokesman Ryan Foreman said the spy service’s personal information banks used to be listed along with other Defence Department holdings in a federal publication called InfoSource, but in future will be cited separately, as CSEC is now a standalone agency. “CSEC is not exempted from the reporting requirements to publish an InfoSource submission. CSEC will be preparing its first independent InfoSource submission for the 2013-2014 reporting period,” Foreman said. “Previously published versions of InfoSource can be accessed through the Treasury Board Secretariat.” [Source] SEE ALSO: [Michael Geist on the perils of government surveillance] and [How to Tell if a Cell Phone Is Being Monitored]

UK – GCHQ Taps Fibre-Optic Cables for Secret Access to World Communications

Britain’s spy agency GCHQ has secretly gained access to the network of cables which carry the world’s phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency (NSA). The sheer scale of the agency’s ambition is reflected in the titles of its two principal components: Mastering the Internet and Global Telecoms Exploitation, aimed at scooping up as much online and telephone traffic as possible. This is all being carried out without any form of public acknowledgement or debate. One key innovation has been GCHQ’s ability to tap into and store huge volumes of data drawn from fibre-optic cables for up to 30 days so that it can be sifted and analysed. That operation, codenamed Tempora, has been running for some 18 months. The existence of the programme has been disclosed in documents shown to the Guardian by the NSA whistleblower Edward Snowden as part of his attempt to expose what he has called “the largest programme of suspicionless surveillance in human history”. “It’s not just a US problem. The UK has a huge dog in this fight,” Snowden told the Guardian. “They [GCHQ] are worse than the US.” Britain’s technical capacity to tap into the cables that carry the world’s communications – referred to in the documents as special source exploitation – has made GCHQ an intelligence superpower. By 2010, two years after the project was first trialled, it was able to boast it had the “biggest internet access” of any member of the Five Eyes electronic eavesdropping alliance, comprising the US, UK, Canada, Australia and New Zealand. UK officials could also claim GCHQ “produces larger amounts of metadata than NSA”. By May last year 300 analysts from GCHQ, and 250 from the NSA, had been assigned to sift through the flood of data. The Americans were given guidelines for its use, but were told in legal briefings by GCHQ lawyers: “We have a light oversight regime compared with the US”. When it came to judging the necessity and proportionality of what they were allowed to look for, would-be American users were told it was “your call”. The Guardian understands that a total of 850,000 NSA employees and US private contractors with top secret clearance had access to GCHQ databases. The documents reveal that by last year GCHQ was handling 600m “telephone events” each day, had tapped more than 200 fibre-optic cables and was able to process data from at least 46 of them at a time. [The Guardian] [Source] [Source]

AU – Australian Government Shelves Metadata Collection Plan

The government has shelved a controversial plan to force Australian telecommunications companies, internet service providers and sites such as Facebook to collect “metadata” from Australian users and store it for two years. The government had run out of time to push the plan through before the election, but, after a powerful parliamentary committee raised concerns about it, the attorney general, Mark Dreyfus, confirmed more work was needed. “The government will not pursue a mandatory data retention regime at this time and will await further advice from the departments and relevant agencies and comprehensive consultation,” he said in a statement. [Source]

IN – India to Let Government Officials Access Private Phone Calls and Emails

India has launched a wide-ranging surveillance programme that will give its security agencies and even income tax officials the ability to tap directly into emails and phone calls without oversight by courts or parliament, several sources say. The expanded surveillance in the world’s most populous democracy, which the government says will help safeguard national security, has alarmed privacy advocates at a time when allegations of massive US digital snooping beyond American shores have set off a global furore. “If India doesn’t want to look like an authoritarian regime, it needs to be transparent about who will be authorised to collect data, what data will be collected, how it will be used, and how the right to privacy will be protected,” said Cynthia Wong, a researcher at New-York-based Human Rights Watch. The Central Monitoring System (CMS) was announced in 2011 but there has been no public debate and the government has said little about how it will work or how it will ensure that the system is not abused. The government started to quietly roll the system out state by state in April this year, according to government officials. Eventually it will be able to target any of India’s 900 million landline and mobile phone subscribers and 120 million internet users. [Source]

AU – Australia Building Data Storage Facility

The Australian government is building a data storage facility outside Canberra, the country’s capital, to allow intelligence agencies manage a “data deluge” from the Internet and telecommunications networks. The state-of-the-art facility will support Australia’s Defence Signals Directorate. Some of the information that Australian intelligence agencies receive comes from the US’s PRISM data gathering program. [Source] [Source]

CA – Privacy Commissioners Raise Concerns About Google Glass

Canada’s privacy commissioner and 36 of her counterparts in this country and around the world want to know how Google plans to protect people’s privacy when Google Glass hits the streets. “We would be very interested in hearing about the privacy implications of this new product and the steps you are taking to ensure that, as you move forward with Google Glass, individuals’ privacy rights are respected around the world,” reads an open letter to CEO Larry Page, signed by Jennifer Stoddart and provincial privacy commissioners, as well as those from Australia, Mexico, Switzerland, Israel and New Zealand. Almost from the moment Google announced its wearable computer goggles, privacy concerns were raised about the ability to record people surreptitiously and, in the blink of an eye, post it to the Internet. Among the questions in Tuesday’s letter: What information does Google collect via Glass and what information is shared with third parties, including application developers?; How does Google intend to use this information?; Is Google doing anything about the broader social and ethical issues raised by such a product? Their concerns echo those of the U.S. Congress, which in May sent a similar letter to Google about the “unanswered questions” around privacy. [Source] [CNET News]

Telecom / TV

US – FCC Rules Carriers Must Protect Data

The Federal Communications Commission (FCC) has ruled that telecoms need to safeguard consumer call information regardless of whether they’re using wireless or landlines. An FCC statement says, “When mobile carriers use their control of customers’ devices to collect information about customers’ use of the network…carriers are required to protect that information.” The ruling stems from an investigation into allegations that Carrier IQ was logging customers’ keystrokes. Commissioner Jessica Rosenworcel pointed out that the ruling applies only to carriers, adding, “They do not apply to the manufacturers of wireless phones. They do not apply to the developers of operating systems. Consumers can be confused by these distinctions.” [MediaPost]

WW – Almost Half of iPhone Apps Peek at Your Private Stuff

According to a new study, more than 13% of apps access an iPhone’s physical location while 6% access the device’s address book. Computer scientists at the University of California, San Diego discovered that nearly half of the mobile apps running on Apple’s iOS operating system have gained access to private data. These findings are based on a study of 130,000 users of jailbroken iOS devices, where uses have removed restrictions that keep apps from accessing the iPhone’s operating system. One might assume that the results are skewed because the study participants were using a jailbroken iPhone. However, the majority of applications in the study were downloaded through Apple’s App Store and were able to access the same information on locked phones as well. In March, Apple stopped accepting new applications or app updates that access these “unique identifiers,” or privacy invaders. However, the findings suggest that although this update was made to the App Store policy, many apps can still get that information. Unique identifiers allow the creators of the app and advertisers to track a user’s behavior through all the different apps on their devices. Some apps even associate the unique identifier with the user’s email and other personal information. The researchers developed an app called ProtectMyPrivacy (PMP) that is able to detect what data the other apps running on an iOS device are trying to access. Their application enables users to selectively allow or deny access to information on an app-by-app basis, based on whether they feel the apps need the information to function properly. The team has also added notifications and recommendations for when an app accesses other privacy-sensitive information, such as a devices’ front and back camera, microphone and photos. “We wanted to empower users to take control of their privacy,” said Yuvraj Agarwal, a research scientist in the Department of Computer Science and Engineering at UC San Diego who co-authored the study. “The choice should be in users’ hands.” Nearly all of PMP’s users voluntarily shared their privacy decisions, allowing the researchers to see which apps they believe should be allowed access to their privacy-sensitive data. PMP is able to make recommendations for 97% of the 10,000 most popular iPhone apps. [Source]

WW – Security Flaws in Phone App Library

Vulnerabilities in the GNU ZRTPCPP open-source security library used by some secure mobile phone apps could be exploited to allow arbitrary code execution and crash applications. The flaws include a remote heap overflow, several stack overflows, and information leakage. [ComputerWorld] [The Register

US Government Programs

US – US Administrative Office of the Courts’ 2012 Wiretap Report

The US Administrative Office of the Courts 2012 Wiretap Report notes that 15 wiretaps last year encountered encrypted communications. In previous years, there have been a total of seven other instances. In four of the cases, officials were not able to decrypt the messages. This is the first time that officials have reported being thwarted by encryption “since the AO began collecting encryption data in 2001.” According to the report, there were 3,395 authorized wiretaps from state or federal judges in 2012. The numbers do not include “interceptions regulated by the Foreign Intelligence Surveillance Act of 1978.” [WIRED] [US Courts]

US Legislation

US – Bill Proposed To Strengthen Oversight of FISA, USA PATRIOT Act

Sen. Patrick Leahy (D-VT), with the co-sponsorship of Sens. Lee (R-UT), Udall (D-CO), Wyden (D-OR), Blumenthal (D-NY) and Tester (D-MT), proposed the FISA Accountability and Privacy Protection Act of 2013 to “strengthen privacy protections, accountability and oversight related to domestic surveillance conducted pursuant to the USA PATRIOT Act and the Foreign Intelligence Surveillance Act of 1978.” Privacy Tracker reports on the proposed changes, including allowing challenges to gag orders in court, expanding public reporting of national security letters and requiring a comprehensive review of the FISA Amendments Act by the inspector general of the intelligence community. [IDG News]

US – Federal Baseline Breach Notification Bill Introduced

Sen. Pat Toomey (R-PA) introduced legislation Thursday to mandate a nationwide standard for data breach notification. Sponsored by Sens. Angus King (I-ME) and John Thune (R-SD), the bill would preempt the current slate of 46 state breach notification laws and provide “better protections and swifter responses for consumers.” With a combination of high-profile data breaches and varying state mandates, “Congress needs to provide businesses and consumers with certainty and establish a single reasonable standard for information security and breach notification practices,” the press release states. [Toomey press release]

US – Louisiana Governor Passes Gun-Owner Protection Law

Louisiana Governor Bobby Jindal signed a bill last week that he says protects the privacy rights of law-abiding gun owners. The law imposes fines of up to $10,000 and jail sentences of up to six months on those that publish the names of people who own or have applied for a concealed handgun permit. “The law raises the constitutional question of prior restraint, meaning when the government prohibits speech or other expression before it can take place” [Source] Rep. Jeff Thompson (R-Bossier City) said the bill was a response to the controversial map published last year in a New York paper including the names and addresses of handgun permit-holders within its readership region. According to the reports, Arkansas (SB 131), Maine (LD 345), Mississippi (HB 485), New York (New York Secure Ammunition and Firearms Enforcement Act) and Virginia (SB 1335) have all passed laws to protect the identities of concealed weapons permit-holders.

US – Student Privacy Bill Proposed in Massachusetts

Massachusetts Lawmakers are considering Bill H 331 to prohibit those providers that deliver cloud computing services to kindergarten through grade-12 schools from processing student data for commercial purposes. The bill was filed by Rep. Carlo Basile (D-East Boston) and is a pressing issue as the state is one of five considering participation in inBloom, a Gates Foundation pilot program that aims to help schools simplify computer systems. Rep. Alice Peisch (D-Wellesley) questioned why FERPA doesn’t address the problem; The Lowell Sun pointed to criticisms that 2011 changes to FERPA opened the door for schools to share student data with private entities.

US – New Jersey Senate Passes Drone Regs

Last week, the New Jersey Senate unanimously passed S2702, a bill that sets guidelines for state officials’ use of drones. Permitted uses include criminal investigations and events that “substantially endanger the health, safety and property of the citizens;” however, the use would need to be approved by the agency chief, reports New The bill also restricts use of both audio and visual recording taken by drones. The bill has been received by the Assembly and referred to the Assembly Homeland Security and State Preparedness Committee.

US – Oregon Drone Bill Heads to Governor

Oregon’s police drone bill (SB 71) passed the House 56-3 last week and is headed to the governor’s desk. If signed into law, the bill would bar law enforcement from using drones to collect information without a warrant, except in specified situations.

US – Texas Broadens Breach Notification Law

While Texas has had a breach notification law on the books for a while now that applies to citizens of states without a notification law, it recently passed Senate Bill 1610, which increases the scope further. The new law applies to everyone affected by a breach—regardless of the law in their state of residence; gives organizations the choice of reporting under Texas law or that of the state of the affected person, and allows written notification to go to the last known address. This law differs from many other state breach laws in its perspective. “While most state laws apply when its residents have been affected by a breach, Texas law applies to persons dealing with personal information who conduct business in Texas,” adding that no matter what the new law requires, “best practice will remain notifying under the law of the state where the affected party resides.” [Source]

US – Nevada Social Media Law Has Broad Scope

Nevada has become the 11th state to pass an employee social media law. Effective October 1, employers may not ask employees or prospective employees for information that would provide access to their social media accounts. Nor are employers allowed to fire, discipline or discriminate in any way against employees or prospective employees who do not share that information with them. One point to note is that the Nevada law defines social media broadly as “any electronic service or account or electronic content, including, without limitation, videos, photographs, blogs, video blogs, podcasts, instant and text messages, electronic mail programs or services, online services or Internet website profiles,” essentially saying it applies to any online account. So, while the law’s restrictions are narrower than many similar laws, the scope is broader. Nevada joins Arkansas, California, Colorado, Illinois, Maryland, Michigan, New Mexico, Oregon, Utah and Washington in passing a social media law. [Source]

Workplace Privacy

WW – If Nine Of 10 Employees Breach Policies, How Is Privacy Possible?

A survey taken over several years has found that out of 165,000 employees surveyed, 93 percent knowingly violate policies designed to prevent data breaches. Privacy professionals burn the midnight oil crafting policies in line with best practices. But such policies don’t stand a chance at protecting consumer data if the employees charged with practicing model data-steward behavior could care less about doing so. So how can a company ensure that its people are complying with the policies it promises to practice? [The Privacy Advisor] [Financial Times]

CA – Supreme Court Says No to Random Alcohol Testing

The Supreme Court late last week ruled that companies cannot institute mandatory random alcohol testing of employees. “Random alcohol testing is a humiliating invasion of an individual’s privacy that has no proven impact on workplace safety,” said Dave Coles, president of the Communications, Energy and Paper Workers Union of Canada. Communications, Energy and Paperworkers Union of Canada, Local 30 vs. Irving Pulp & Paper, Limited stems from a 2006 policy by Irving that chose an employee randomly by a computer program. The employee showed a zero blood alcohol level but claimed the test was humiliating and unfair. [Source]


01-15 June 2013



WW – Google Outlaws Facial Recognition, Voiceprints for Google Glass

Google has decided to ban facial-recognition technology from its Google Glass product, following pressure from the U.S. Congress. It has also banned voiceprints, which would allow the microphone to identify a speaker. App developers—including Lance Nanek, who built an app that would allow clinicians wearing the glasses to verify patient identities and pull their medical records without having to turn to a secondary device—are disappointed in the decision. The company says it will not allow such applications until “strong privacy protections” are in place, but the Future of Privacy Forum wonders “what sort of privacy protections can actually be put in place for this sort of technology?” [MIT Technology Review]

See also: [Google Irks Developers with Ruling on Facial-Recognition Apps] and also: [US: Parents angered after schools conduct ‘Minority Report-like’ iris scans on students as young as six without asking their permission]


CA – Privacy Czar to Meet With E-Spy Watchdog on Eavesdropping Concerns

Canada’s privacy watchdog plans to meet with the retired judge who keeps an eye on the national eavesdropping agency. Privacy Commissioner Jennifer Stoddart says she’s concerned that the public knows little about what Robert Decary does in his role monitoring the ultra-secret Communications Security Establishment. Stoddart said earlier this week she would look into any implications for Canada posed by the possible large-scale U.S. snooping. She also wants to know more about the CSE’s long-standing surveillance of foreign Internet, telephone and satellite traffic. The CSE said this week that it “does not have access to data in Prism.” [Source] [Federal watchdog laments having to ‘mop up’ after privacy violations] [Canadian spy watchdog has known about data-mining for seven years] [U.S. online snooping: What Canadians need to know] [Why Canadians Should Be Demanding Answers About Secret Surveillance Programs]

CA – New Treasury Board Policy Requires Reporting Every Data Breach

Treasury Board workers may soon have to report every data breach to the federal privacy commissioner, a change in policy that should come into effect by the fall. The policy change won’t spread to other departments that will still retain the right to not report data losses if they feel no serious privacy breach has occurred. In the fall, the Treasury Board will amend the government’s security policy to note that “security breaches may be privacy breaches” when personal information is or maybe compromised,” the briefing note says. “Reporting of both types of breaches will be mandatory to the Treasury Board Secretariat. We will coordinate amendments to the policy instruments relating to privacy and include mandatory reporting to the Privacy Commissioner at the same time,” the briefing note reads. [Source]

CA – NS Legislation Aims to Protect Health Privacy

The province said it is taking steps to keep Nova Scotians’ health information away from prying eyes. Under the Personal Health Information Act, members of the public whose information goes missing or is stolen from their doctor’s office, a nursing home, hospital or other health-care facility, will be notified immediately, health officials said in a news release. The act goes into effect this week. Patients may also access a list of those who’ve seen their private health information, and will be able to limit access to that information or withhold it, the release said. Hospitals, nursing homes, doctors, and several other bodies, including the provincial Health Department, are covered by the act. A staffer at such facilities will also be on hand to respond to privacy concerns, said the release. [Source]


US – $6M AOL Class-Action Approved

A federal judge has given “final approval to a class-action settlement between AOL and a class of more than 650,000 AOL members whose search queries were disclosed to the public” in a case that “has become almost folklore in the privacy world.” The case stems from a 2006 incident where AOL employees released search query data from members for research purposes. “Although the members had been supposedly anonymized, some of them were re-identified based solely on the patterns in their searches,” the report states. The settlement includes $5 million payments to class members as well as almost $1 million in legal fees. [Mondaq]

US – More than Half Polled OK with NSA Tracking to Catch Terrorists

A full 56% of more than 1,000 people polled by Pew Research believe the NSA program is an “acceptable way” for the government to hunt for terrorists. Among 1,005 Americans surveyed by the Pew Research Center, 56% said they believe that tracking phone records is an “acceptable way” to investigate terrorists. Taking the opposite view, 41% consider the practice unacceptable, while 2% weren’t sure. Drilling further, 62% believe it’s important for the government to track down potential terrorist threats even if that affects personal privacy. On the flip side, 34% said the government should not interfere with the privacy of its citizens even if that limits its power to investigate possible threats. Finally, 45% think the government should be able to “monitor everyone’s e-mail and other online activities if officials say this might prevent future terrorist attacks,” while 52% said they were against this practice. Overall, the percentage of people on both sides of the fence is largely the same as it was in 2002, not long after the Sept. 11, 2001, terrorist attacks, according to Pew. [Source]


US – Woman Who Uncovered Patraeus Affair Files Suit

The Tampa, FL, woman whose complaints about cyberstalking exposed the David Patraeus affair has filed a lawsuit accusing federal officials of violating her privacy. The woman, Jill Kelley, and her husband are seeking an apology and unspecified damages, stating the officials who leaked data about them should have been protecting their privacy. “Instead we received highly hurtful and damaging publicity from willful leaks from high-level government officials that were false and defamatory,” Jill Kelley said in a statement. “In addition, we also learned that our personal e-mails were wrongfully searched and improperly disclosed.” [USA TODAY]

UK – Government “Hasn’t Kept Up With Privacy Enhancing Technologies”

The HOC Science and Technology Committee met for the first time to discuss the progress of the government’s Digital by Default strategy. During the session, the Committee heard from Dr Martyn Thomas CBE, the highly experienced software engineer, currently working with the Institute of Engineering and Technology. Discussing ID assurance, and software vulnerabilities with government digital services, Dr Thomas said that while some services are working effectively online, the government has “a lot to learn about real science and dependable reliance on software.” “The government keeps announcing policies that might come unravelled as a result,” he continued.The Digital by Default discussion was the first of an ongoing investigation by the Science and Technology Committee. [Source]

NZ – Privacy Review Finds Vulnerable Agency IT Systems

The widespread failing has been revealed in a review of 70 government departments and ministries that was able to identify 12 systems at risk because of insecure passwords, potential access by unauthorised users or being connected to internal networks. However, there was no evidence of privacy breaches. KPMG investigated 215 publicly accessible computer systems and found 73% lacked formal security standards and had no formal risk management processes. The offenders included the Ministries of Social Development, Education and Justice, as well as the Earthquake Commission and the MidCentral District Health Board. The review – sparked by privacy breaches identified at Social Development Ministry kiosks in October 2012 – also found that many agencies could not provide documentation on whether or not there were vulnerabilities. Privacy Commissioner Marie Shroff said there are systemic weaknesses in the way privacy and security have been managed in the government sector. Ms Shroff said the review is a wake-up call for government agencies and welcomes the recommendations to improve information security. [Source]

US – South Carolina Proposes DMV-Controlled Electronic License Plates

South Carolina is considering a formal switch from regular license plates to solar-powered plates that will be electronically controlled by the state’s Department of Motor Vehicles. Compliance Innovations, the South Carolina-based company that wants to manufacture the plates and provide them to the state for less than $100 (the normal price is between $3 and $7), has provided a visual on their site. With one swipe of the mouse, a plain plate is emblazoned with bright red “EXPIRED.” In an effort to make the South Carolinian roads safer, supporters say the goal is to better advertise ‘criminal-status’ to the authorities. The DMV could electronically announce the offense on the license plate, easily broadcasting it to passing police cars. [Source]

UK – Survey Shows Public Trust In Government Protection of Digital Identity Data

A new survey has shown a significantly higher level of trust in government to handle the public’s digital identity data – which is part of the planned UK Online Identity Scheme. The figures show that a high level of support is present for the scheme – 91% support it. However, only 9% would put their trust in private companies to manage identity credentials. This is in contrast to the 61% that said they’d trust the government to handle their data. The report also showed the biggest swing in consumer security confidence since the annual survey began in 2007. [Source]


WW – Yahoo E-Mail Scans Not New Practice

Yahoo users will have their e-mail scanned so relevant ads may be sent to them isn’t actually news at all; the service provider has been doing so since 2011. “This is not about a new policy,” said Yahoo spokeswoman DJ Anderson. “We believe having personalized experiences benefits the user. If the user doesn’t want to have contextual-based or interest-based advertising, they can opt out of that through our ad interest manager.” Users may have simply become aware of the change when Yahoo recently informed users they will be required to upgrade to a newer version of Yahoo mail, which would require them to accept Yahoo’s terms of service and privacy policy. [CNET]

UK – BT Drops Yahoo as eMail Partner After Rise in Account Hijackings

UK telecommunications company BT has dropped Yahoo as its email provider following a growing number of customer complaints that their accounts were hijacked and used to send spam. Yahoo has been BT’s partner for subscriber email accounts. BT plans to move all six million accounts to its new BT Mail platform, which will be hosted by Critical Path. The accounts were vulnerable because Yahoo administrators had not applied a patch in the WordPress content management system that supported one of its blogs. [ArsTechnica] [ZDNet] [Telegraph]

CA – Commissioner Dismayed by Deletion of Emails in Cabinet Ministers’ Offices

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, has released the findings of her investigation into a complaint by Member of Provincial Parliament Peter Tabuns, who alleged the Chief of Staff to the former Minister of Energy had improperly deleted all emails concerning the cancellation of the Mississauga and Oakville gas plants. Over the course of the investigation, the Commissioner learned that in early 2013, staff in the former Premier’s office had approached the Secretary of Cabinet about how to permanently delete emails and other electronic documents. As a result, the scope of the investigation was expanded. At the root of the problems uncovered over the course of our wide-reaching investigation was the practice of indiscriminate deletion of all emails sent and received by the former Chief of Staff to the Minister of Energy. This practice violates the Archives and Recordkeeping Act (ARA) and the records retention schedule developed for ministers’ offices by the Archives of Ontario. This practice also undermines the transparency and accountability purposes of the ARA and the Freedom of Information and Protection of Personal Privacy Act (FIPPA). [Source]

US – Texas Passes Tough Email Privacy Law

Texas Gov. Rick Perry signed what has been called the toughest e-mail privacy bill in the country into law, meaning state law enforcement will need to get a warrant in order to search e-mail—no matter how old it is. The bill unanimously passed both houses of the state legislature before reaching Perry’s desk.

HB2268 surpasses the privacy protections under the federal Electronic Communications Privacy Act (ECPA), which allows warrantless searches of e-mails before they’ve been opened by the recipient and after they’ve been sitting unopened in an inbox for 180 days. Consensus is growing between government, industry and privacy advocates that this time-frame distinction is outdated and ECPA should be updated to require law enforcement to obtain a warrant before searching all e-mails, and in April, the Senate Judiciary Committee passed the ECPA Amendments Act, which would require just that. While this won’t stop federal law enforcement from gaining warrantless access, is Texas setting the precedent for ECPA reform here? The bill’s sponsor, Rep. John Frullo (R-Lubbock) says that the legislation “allows Texas to join other states in making sure law enforcement agencies are able to obtain critical evidence when criminals are using the Internet to commit crimes.” [Courthouse News]


US – Judge Stays Decryption Order in Feldman Case

A federal judge in Wisconsin has stayed a magistrate’s order that would have forced Jeffrey Feldman to decrypt 16 devices which authorities believe contain child pornography. US District Judge Rudolph Randa’s ruling came one day after US Magistrate William Callahan Jr. issued the decryption order. Callahan stepped aside and Feldman’s case was reassigned to Randa after Feldman’s attorney argued successfully that only District Court judges have the authority to issue decryption orders. Feldman’s attorney argued that the decryption order would force her client to build the government’s case against him. [WIRED] [WIRED] [ArsTechnica] [Defense Filing] [Stay of Previous Order]

EU Developments

EU – Ministers Mulling Exemptions to Rule

EU Justice Ministers will today consider granting EU institutions “a sweeping exemption” from new data protection rules that would require the institutions to employ a data protection officer and consult the European Data Protection Supervisor. The European Commission says the rule is currently stricter than general rules on data protection. The exemption would apply after the new regulation is passed, but would include the stipulation that the commission update existing law to bring it in line with the revised regulation. [EurActiv] SEE ALSO: [The Proposed EU Data Protection Regulation: Historic Privacy Framework or Swiss Cheese?]

UK – ICO Publicizes Concerns on Draft Data Protection Regulation

Concerned that the prescriptive nature of the proposed EU Data Protection Regulation will impose a significant additional administrative burden on regulators, the UK ICO has published on its website a letter to the Secretary of State for Justice which re-states the Information Commissioner’s concerns about the proposed Regulation. The key source of the Commissioner’s concerns is that the prescriptive nature of the Regulation will impose a significant additional administrative burden on regulators.  Coupled with the abolition of notification fees, the ICO’s current source of funding, the Commissioner suggests the ICO would no longer be able to intervene on the basis of risk and proportionality, and that this would make it less effective. Aspects of the Regulation which the Commissioner identifies as being of particular concern are:

  • The emphasis on punishment and sanctions at the expense of awareness raising and education
  • The requirement for all data breaches to be notified to Data Protection Authorities, rather than just those that pose significant risk
  • Prior authorization to be required for international transfers where this is not required under current regime
  • Limited discretion for Data Protection Authorities over administrative sanctions, which are imposed on the basis of process failures rather than privacy risks
  • Participation in a consistency mechanism that is insufficiently risk-based and contains unrealistic time limits [Source]

EU – French Government Has Serious Reservations About Draft EU Regulation

According to Fleur Pellerin, the French Minister for Digital Economy, the Minister of Justice has rejected the latest version of the draft EU Data Protection Regulation.  In Parliamentary questioning on 11 June, the Minister confirmed the French Government’s commitment to ensuring adequate protection of personal data, but stated that the French Government’s opposition is based on the current concept of “one stop shop” for data controllers established in more than one Member state of the European Union. This position follows the CNIL’s expression of concern because of the potential difficulties data subjects could face in submitting complaints to a foreign data protection authority. On the topic of international transfers, the Minister for Digital Economy also mentioned the fact that the French Government called the current international transfers safeguards “not satisfactory at all” and, in particular the Safe Harbor system which has been described as “less protective than the European framework.” [Source]

EU – Council of the EU Releases Draft Compromise

The Council of the European Union has released a draft compromise text in response to the European Commission’s proposed data protection regulation. The text narrows the scope of the regulation and “seeks to move from a detailed, prescriptive approach toward a risk-based framework.” In this exclusive for The Privacy Advisor, Centre for Information Policy Leadership President Marty Abrams and Wilson Sonisini Senior of Counsel Christopher Kuner both share their insights of this latest development, which has some privacy advocates up in arms. [Hunton & Williams’ Privacy and Information Security Law Blog]

EU – Sweden to Pay for Failure to Implement Directive

The Court of Justice of the European Union has held that Sweden failed to fulfill its obligations under EU law when it comes to implementing the EU Data Retention Directive. Sweden has been ordered to pay 3,000,000 euros. In 2010, the court found Sweden failed to transpose the directive into national law by its September 2007 deadline. Sweden complied in 2012 after internal debate over balancing privacy rights with the need to combat crime, but the commission ruled such difficulties did not justify failure to comply. [Hunton & Williams Privacy and Information Security Law Blog]

EU – Archivists Lobby Against Right To Be Forgotten

A group of French archivists is lobbying to keep personal data flourishing online in the face of the EU data protection draft’s “right to be forgotten” provision. Jean-Phillipe Legois, president of the Association of French Archivists says, “Today, e-mail, Facebook, Twitter, this is the correspondence of the 21st century. If we want to understand the society of today in the future, we have to keep certain traces.” The archivists have introduced a petition to present to the European Parliament. The petition has thus far received almost 50,000 signatures. Meanwhile, the French government has rejected the latest version of the draft regulation. [New York Times] See also: [Commentary: Will the Right To Be Forgotten Lead to a Society That Was Forgotten?]

UK – Council Fined for Data Breach

A UK Council has been fined for breaching the Data Protection Act. The council has been ordered to pay 70,000 GBP after a council employee sent a letter including personal details about an adopted child to a birth mother. The breach was caused by the council’s “underlying failure to have a clear policy and process for checking such correspondence, and relevant training for their staff.” [eSecurity Planet]

UK – ICO Funding Cited as Problem

The Information Commissioner’s Office (ICO) has revealed there is a high probability the agency will not have enough funding to accomplish its goals. The ICO risk register released late last week noted, “the ICO does not have enough funding to meet its obligations, the expectations of its stakeholders or achieve its plan,” adding, “In consequence, it (would have) to scale back what it wants to do and fails to deliver an acceptable level of service.” The agency has informed the government it needs more resources and has expressed concern that the proposed EU data protection regulation may have an impact. [Information Age]

UK – ICO fines Glasgow City Council for Unencrypted Laptops Loss

The ICO has fined Glasgow City council £150,000 following the loss of two unencrypted laptops – one of which contained the personal information of 20,143 people. The breach of the Data Protection Act, which happened on 28 May last year also included details of businesses adding up to a total of 38,000 affected individuals and organisations. It also follows a previously issued enforcement notice from three years ago – following similar breach involving an unencrypted memory stick. The two laptops were stolen from the council’s offices, which were being refurbished at the time – one laptop had been locked away in a storage drawer, with the key placed in an unlocked drawer where the second laptop was kept. One laptop contained the council’s creditor payment history file. The ICO issued the fine following an investigation that found the council had issued a number of staff with unencrypted laptops after encountering problems with the encryption software. Most of the devices were later encrypted, but the ICO also discovered that a further 74 unencrypted laptops remain unaccounted for – at least six of these are known to have been stolen. Ken Macdonald, the ICO’s Assistant Commissioner for Scotland said: “How an organisation can fail to notice that 74 unencrypted laptops have gone missing beggars belief. The fact that these laptops have never been recovered, and no record was made of the information stored on them, means that we will probably never know the true extent of this breach, or how many people’s details have been compromised. The ICO has also served the council with an enforcement notice requiring it to carry out a full audit of its IT assets used to process personal data and arrange for managers to receive asset management training. [Source]

UK – Public Services Ombudsman for Wales Wants More Privacy Power

Wales could become the first UK nation to have an independent watchdog with the power to stop the publication of some of its reports and to prosecute those who go against its wishes. Public Services Ombudsman Peter Tyndall wants more confidentially powers to protect vulnerable people. It would mean complainants could face contempt of court charges if they go to the media. But some warn it would mean less transparency. Mr Tyndall has legal powers to review complaints about public services such as hospitals or councils in Wales. Reports following an investigation are always anonymous with names of complainants and those associated with the complaint always removed. Currently, the ombudsman can choose not to publish reports but he does not have the power to stop a complainant speaking to the media. [Source]

US – Publishers Ask DC to Help Stop Cookie-Blocking Plan

About 60 small online publishers gathering in Washington, DC, as part of an Interactive Advertising Bureau (IAB) event are seeking “to persuade lawmakers to put more pressure on Mozilla to change its plans for blocking third-party advertiser cookies by default in its Firefox browser.” The IAB’s Mike Zaneis said, “The Mozilla plan has galvanized the small web community. They haven’t been as passionate about policy issues as they are this year.” Mozilla has announced the default cookie-blocking will not be included in its July release, but “small Internet websites still feel threatened,” the report states. [AdWeek]

EU – Spanish DPA Releases Guidance on Cookies Regulation

On April 26th, the Spanish Data Protection Agency (“SDPA”) issued its long-awaited guidance on the Spanish cookies regulation, which requires companies seeking to place cookies on users’ devices to obtain those users’ prior opt-in consent after providing them with clear and complete information about the use of cookies and the purposes for which data collected via cookies will be processed.  The guidance, which the SDPA drafted in collaboration with industry, takes a business-oriented approach and provides companies with several alternatives for complying with the regulation’s notice and consent requirements. [Source]

Facts & Stats

WW – Where do People Overshare Most Online? Hint: It’s not the U.S.

24% of global social media users share “everything” or “most things” online, according to a recent survey by marketing research firm Ipsos. But a few countries beat that average several times over: In Saudi Arabia, the clear frontrunner in the survey, more than 60% of respondents said they regularly pour out their feelings, photos and videos to their virtual friends. Those numbers stay pretty consistent across age groups and classes, Ipsos found. In fact, people older than 50 are the most likely to say they share “everything” online. Business-owners and executives — many of whom are likely both educated and prosperous — also lean toward oversharing. There seems to be a clear relationship between “oversharing” and Internet penetration: Nearly all the countries that overindex are in Asia, Africa and Latin America, where penetration is low; meanwhile, almost all the countries that “undershare” are in Europe, where more people are online. A report earlier this year by Saudi social media firm The Social Clinic found that Twitter usage in Saudi Arabia grew by 3000% in 2011 alone, about 10 times the global average. Facebook and YouTube have also seen growth in the double and triple digits: Facebook is now, per The Social Clinic, the third-most visited site in the KSA, and Saudi Arabians watch more YouTube videos than people in any other country. This becomes especially striking — almost unbelievable — when you consider that Saudi Arabia has only 28 million people. [Source and illustrations]


US – Gov’t Says Firms Can Open Up; Obama Defends NSA Programs

The U.S. government has said that U.S. tech firms may publish government requests for user data but can only do so when combined with state and local government requests. In our continuing coverage of the National Security Administration surveillance program leaks, we look at responses from Google, Apple, Facebook and Microsoft as well as reactions from President Barack Obama, who has defended the programs, Sen. Mark Udall (D-CO), who plans to introduce legislation that would curb some government data collection and how one lawsuit could break new legal ground. [Source] SEE ALSO: [California Makes A Move To Further Separate The Public From Its Public Records]

US – Machine-Readable Format Helps Disseminate Essential Info in Emergencies

Google and other technology companies told a panel of US lawmakers that providing emergency information in open formats will help drive it to top search results where people who need it will be most likely to find it. In the days surrounding last year’s Hurricane Sandy, Google received roughly 15 million queries for information about the storm, while the Federal Emergency Management Agency’s pages with Sandy information received 740,000 visitors. Government agencies often release pertinent information as PDFs and other formats do not make it to the top of search results, where they could do the most good to people looking for relevant information such as the projected path of a storm, shelter locations, and other emergency services. [NextGov]


US – Privacy Is Major Hurdle for Research Group

A group of geneticists have established a consortium aimed at creating database of genetic and clinical data that could be accessed by doctors and researchers across the globe. Experts from the consortium say the major challenge is a lack of standards for storing and sharing data and for assuring that patients consent to this sharing of their data. “The question is whether and how we make it possible to learn from these data as they grow, in a manner that respects the autonomy and privacy choices of each participant,” said David Altshuler of Harvard and MIT. The group consists of more than 70 medical, research and advocacy organizations active in 41 countries. [The New York Times] [Accord Aims to Create Trove of Genetic Data]

US – DNA Samples May Be More Identifiable Than Thought

While research subjects are often told that the DNA sample they’ve provided for the sake of science is not identifiable and their anonymity will be preserved, “geneticists nationwide have gotten a few rude awakenings, hints that research subjects could sometimes be identified by their DNA alone or even by the way their cells were using their DNA.” Such revelations are particularly concerning following the announcement that nearly 80 researchers want to combine the world’s DNA databases to make it easier for researchers to retrieve and share such data. Meanwhile, local law enforcement agencies across the U.S. have begun amassing their own DNA databases. [The New York Times]

US – Supreme Court Rules Police Can Take DNA

The U.S. Supreme Court has ruled police can take DNA swabs from individuals upon arrest without warrant. In a “sharply divided” 5-4 ruling, the majority said DNA testing is a legitimate police procedure. Justice Anthony Kennedy said, “Taking and analyzing a cheek swab of the arrestee DNA is, like fingerprinting and photographing, a legitimate police booking procedure that is reasonable under the Fourth Amendment.” Four dissenting justices argued that the ruling gives police new powers. Justice Antonin Scalia said, “Make no mistake about it: Because of today’s decision, your DNA can be taken and entered into a national database if you are ever arrested, rightly or wrongly, and for whatever reason.” [The Associated Press] SEE ALSO: [The Art of Turning Discarded Chewing Gum Into Your Portrait]

US – Supreme Court Ruling on DNA Swabs Could Lead to Big Brother Scenario

Police making warrantless arrests are now justified in using another identification tool: the DNA swab. That’s according to a 5-to-4 decision by the U.S. Supreme Court, which ruled law enforcement officers can use a buccal swab, a way of collecting DNA from the cells inside a person’s cheek, as part of their standard booking procedure for inmates. Maryland Attorney General Doug Gensler, who calls DNA collecting “the fingerprinting of the 21st century,” says the ruling will help police match unresolved crimes with their perpetrators. Despite the practice’s benefits, the ruling has also drawn serious concern from privacy experts, who worry the swab could create an incentive for police to arrest more people, or lead to the use of people’s DNA for non-judicial purposes, such as government tracking of individuals. Supreme Court Justice Antonin Scalia shares privacy concerns. In an angry dissenting opinion he read aloud in court, Scalia said: “Make no mistake about it: because of today’s decision, your DNA can be taken and entered into a national database if you are ever arrested, rightly or wrongly, and for whatever reason.” [Source]


US – Judge: Google Must Hand Over Data; EFF, Facebook Call for User Privacy

District Judge Susan Illston has ordered Google to hand over data requested in 19 National Security Letters (NSLs), noting, however, that “Illston all but invited Google to try again, stressing that the company has only raised broad arguments, not ones ‘specific to the 19 NSLs at issue’.” In a separate privacy issue, Google Glass will not include facial recognition technology at this time, the report states. Meanwhile, the Electronic Frontier Foundation (EFF) has filed an amicus brief in a California appellate court “urging the court to protect the privacy rights of social media users by requiring that all requests for their account information—including content—be directed to the users, rather than to third parties like Facebook.” [Network World]

US – Judge Says Google Must Comply with National Security Letters

A federal judge in California has denied Google’s request to modify or nullify 19 National Security Letters (NSLs). US District Judge Susan Illston ordered Google to comply with 17 of the letters after FBI officials submitted secret affidavits and has asked that the government “provide further information” about the other two before she makes a decision about them. In March, Judge Illston ruled that NSLs are unconstitutional because “the non-disclosure provision … violates the First Amendment.” The US government has appealed that ruling. Illston’s noted that her most recent ruling was made because Google had provided broad arguments as to why the letters should be thrown out or modified, and suggested that Google try again with “specific [information] to the 19 NSLs at issue.” National Security Letters allow the FBI and the US Department of Justice (DOJ) to request information about individuals from telecommunications companies; the vast majority of the letters also impose a gag order, so that the company from which the information is requested cannot acknowledge the letter’s existence, and the person whose information is requested cannot challenge the order. The NSLs can be served without judicial oversight. [CNET] [ZDNet] [InfoSecurity] [March Decision]

Health / Medical

US – HIPAA Loopholes Allow States to Sell Identifiable Data

HIPAA loopholes are resulting in the compromise of patient privacy. States are collecting medical data and selling it to researchers and other third parties. Discharge information is exempt from HIPAA privacy rules requiring the removal of 18 patient identifiers, for example. While many states remove the identifiers for discharge data anyway, Washington does not. “While the Office for Civil Rights hasn’t reported any complaints on the matter, the amount of discretion that’s allowed toward states when it goesto de-identifying data is an interesting privacy conversation,” the report states. [HealthITSecurity]

US – Audits Show Risk Assessment Requirement Not Being Met

The HIT Policy Committee’s Privacy and Security Tiger Team is considering methods other than attestation to call greater attention to the importance of risk assessments in HIPAA Security Rule requirements in HITECH Stage 3. Tiger Team Chair Deven McGraw says many healthcare providers are falling short on conducting timely risk assessments, noting that based on HIPAA audits the risk assessment requirement “is still not being met.” Meanwhile, A HealthITSecurity report questions where fine money resulting from HIPAA security audits is going. [GovInfoSecurity]

US – HHS Publishes HIPAA Administrative Simplification Provisions

The Department of Health and Human Services (HHS) has published an integrated version of the HIPAA Administrative Simplification Regulations, including sections on identifier standards, privacy rule, security rule, enforcement rule and breach notification rule, among others. Wiley Rein Partner Kirk Nahra, said this gives people “one place to put all these developments together. It’s not a ‘substantive’ development, but it makes figuring out what needs to be done and how the rules all fit together a bit easier.” Nahra noted the information will assist covered entities and business associates moving toward the September 23 deadline for compliance with the final omnibus rule. [HHS]

US – EPIC Issues Guidance to HHS for Mental Health Data

The Electronic Privacy Information Center (EPIC) has issued recommendations to the Department of Health and Human Services (HHS) about what it should do regarding releasing mental health data to the National Instant Criminal Background Check System. The recommendations put more onus on states to protect mental health data, stating “HHS should not amend the HIPAA Privacy Rule until the Department of Justice revises its Gun Control Act regulations” to define the standards prohibiting individuals from “shipping, transporting, receiving or possessing firearms.” [HealthIT Security]

US – States’ Hospital Data for Sale Puts Privacy in Jeopardy

Hospitals in the U.S. pledge to keep a patient’s health background confidential. Yet states from Washington to New York are putting privacy at risk by selling records that can be used to link a person’s identity to medical conditions using public information. The potential for a patient’s hospital record to be made public by anyone buying data compiled by states adds to ways privacy is vulnerable in an age of digitized health record keeping and increasingly sophisticated hacking. [Source]

US – FDA Issues Cybersecurity Guidance for Electronic Medical Devices

The US Food and Drug Administration (FDA) has issued cybersecurity recommendations for medical devices. The FDA is urging manufacturers of these products to incorporate measures to protect them from malware and attacks, suggesting that the agency might not approve devices that haven’t taken cybersecurity into consideration. The FDA’s recommendations follow news of security issues in certain fetal monitors and software used in body fluid analysis. The agency also recommended that health care providers improve their cybersecurity practices, as it has noted instances in which passwords were widely distributed or even disabled on software that is supposed to have limited access. There are also reports that health care providers have not applied security updates “in a timely manner.” There is no evidence that medical devices are being targeted, and there have been no reports of patients injured or killed as a result of cybersecurity issues. [ComputerWorld] [FDA’s Cybersecurity for Medical Devices and Hospital Networks] SEE ALSO: [ICS-CERT Warns Health Care Providers of Hard-Coded Passwords in Medical Devices | Source | Source]

Horror Stories

US – Hospital Chain to Settle Suit for $275K

Canadian hospital chain Prime Healthcare has agreed to settle for $275,000 a U.S. federal investigation into alleged privacy violations. Prime’s Shasta Regional Medical Center was accused of violating patient confidentiality by sharing a patient’s medical records with journalists and e-mailing her treatment details to almost 800 hospital employees. While the company agreed to the settlement, it admitted no wrongdoing and claims it “would have prevailed in this matter based upon the merits.” California regulators fined Prime $95,000 for this breach last year, but the company says it plans to appeal that fine. [Los Angeles Times] SEE ALSO: [Breach Stats and Implications: A Roundup] and [ON: Hospital defends private records]

Identity Issues

US – Multi-Factor Authentication May Someday be Available as Tattoos and Pills

Motorola Mobility has demonstrated two authentication technologies that remove the need for people to carry around devices for two-factor authentication. The first is an electronic tattoo, a flexible, water-resistant sticker that lasts for several days. The second is a capsule that people can swallow daily. Its components are activated by stomach acids to emit a signal. Motorola said that the US Food and Drug Administration (FDA) has cleared the pill authentication technology for human use. [ArsTechnica] [] [The Register] See also: [Emily Harris, 9-Year-Old Girl, Clears Customs With Toy Passport Identifying Her As Unicorn]

Intellectual Property

US – EFF Challenges Including of DRM in HTML5 Specifications Draft

The Electronic Frontier Foundation (EFF) has registered a formal complaint with the World Wide Web Consortium (W3C) regarding the proposed inclusion of digital rights management (DRM) in a draft of HTML5 specifications. The EFF maintains that the DRM technology, which is called the Encrypted Media Extension (EME), will erode online freedom. The EFF says that “existing web standards already permit equivalent functionality.” [The Register] [NetworkWorld] [EFF’s Complaint]

Law Enforcement

EU – Legislation Would Allow Police to Place Spyware on Suspects’ Devices

Draft legislation from Spain’s ministry of justice would give police the authority to remotely install spyware on computers, storage devices, and mobile devices being used by suspected criminals. The spyware would be installed only on devices physically located in Spain, and only when suspects are allegedly involved with terrorism, organized crime, or other serious offenses that carry at least a three-year prison sentence. The legislation as currently drafted raises some serious privacy issues: the spyware would give authorities access to data as well as account passwords. It would also affect people who share the targeted device with the suspect. [ZDNet]

US – NJ Bill Allowing Police to Search Cell Phones of Drivers Raises Concerns

Proposed legislation would allow police in New Jersey to search the cell phones of drivers involved in accidents to determine if they were texting or talking at the time of a crash. The measure is raising some constitutional concerns. Seton Hall law professor Jenny Carroll questions whether police seizure of the phones is a violation of a driver’s right to privacy. “To the extent that the Legislature may be able to argue that the driver has ceded some of his privacy interests by being in that accident, you can’t make that argument for the third party whom the driver was potentially in communication with,” she said. “And I think that is potentially an issue the Supreme Court is going to have to address as well.” Carroll says there have been conflicting lower court rulings on the constitutionality of similar laws enacted in Ohio, Florida, Washington, and California. Opponents also wonder how police would be able to determine if a phone was being held at the time of a crash or was being legally operated in hands-free mode. The American Civil Liberties Union of New Jersey also opposes the measure, saying it infringes on privacy rights and is likely to face a constitutional challenge. [Source]

US – Prosecutors’ Use of Mobile Phone Tracking is ‘Junk Science,’ Critics Say

At his trial last year on federal kidnapping and conspiracy charges, prosecutors sought to introduce cell tower evidence purporting to show that calls placed from defendant Antonio Evans’ cellphone could have come from his aunt’s house, where the victim was thought to have been held for ransom. What made the Evans case unusual was the fact that the defense even put up a fight to keep the cell tower evidence out of the trial. Evans’ lawyers said the technique has not been shown to be scientific. U.S. District Judge Joan H. Lefkow of Chicago took an in-depth look at the cell tower evidence the government was proposing to use and found it wanting. The judge wrote that an FBI special agent’s “chosen methodology has received no scrutiny outside the law enforcement community.” As a result, the court concluded that the government had not demonstrated that testimony was reliable. In 2011, the nation’s nine largest cellphone carriers responded to 1.3 million requests for subscriber information of all kinds, including cell tower records, from law enforcement officials, according to data compiled by a congressional committee. Cell tower records, also known as call detail records, are the billing records cell companies use to keep track of their customers’ calls. They show the date and time of all calls made or received, the numbers called, the duration of each call, and the cell towers used to begin and end a call. And those requests have been rising at an annual rate of 12% to 16% in the past five years. [Source]


US – US Agency Cracks Down on Medical Device IT Security

An American regulatory agency believes medical device manufacturers have to get tougher with IT security on anything that touches the Internet or a wireless network. The Food and Drug Administration (FDA) issued draft guidelines for vulnerabilities that electronic health equipment manufacturers should be addressing about before submitting products for approval. Aafter hearing comments from industry and the public the guidelines will be finalized and the FDA will have the power to refuse to approve devices if manufacturers don’t provide adequate plans for protecting their devices. [Source]

US – Court: Robber Has No Right of Privacy Against GPS Search of Stolen Phone

A person who steals a cellphone doesn’t have a privacy right that would prevent police from using global positioning to find the phone and arrest him, a state appeals court ruled in San Francisco. A three-judge panel of the Court of Appeal unanimously upheld the conviction of Lorenzo Barnes and sentence of 13 years and eight months in prison for a 2009 armed robbery in San Francisco. “Did defendant have a legitimate expectation of privacy in the cellphone he had stolen? The answer is an emphatic ‘no,’” Justice James Richman wrote in the court’s decision.Richman cited a 2005 decision in which the 9th U.S. Circuit Court of Appeals said, “The Fourth Amendment does not protect a defendant from a warrantless search of property that he stole.” Richman also noted that the arrest was based on a combination of the cellphone pinging and the victims’ description of the stolen purse and the suspect.That information taken together provided the officers with “ample reasonable suspicion for a detention,” the appeals court said. [Source]


JP – Japan Applies to Take Part in CBPR

Japan’s Ministry of Economy, Trade and Industry has announced the government’s June 7 application to participate in APEC’s Cross-Border Privacy Rules. “Japan applied for participation in the system, following the United States and Mexico,” the announcement states, noting, “In the future, if Japan is admitted to the system and the neutral certification organization is authorized, enterprises and other entities certified by this organization will be able to prove that the handling process of private information in their companies is compatible with the APEC Information Privacy Principles.” The division in charge of the application is the Office of International Affairs, Information Policy Division, Commerce and Information Policy Bureau. [Source]

Online Privacy

EU – French Court Orders Twitter to Disclose Names

A French case “threatens to undermine” Twitter’s record of keeping user identities private and raises questions about how non-U.S. rulings against U.S. companies will be enforced. The report references a French court’s ruling this week ordering “Twitter to disclose the names of users who tweeted anti-Semitic remarks,” noting the court determined “Twitter was ultimately responsible for the content on its website.” The report questions the enforceability of the law, noting “Twitter says it tries to comply with all local country laws” but “has made it clear it will default to American laws,” while the French ruling states that “adhering to French law is not optional.” [San Francisco Chronicle]

WW – Opera Releases Mobile Browser With Privacy Built-In

The Norwegian browser developer Opera announced this week the release of Opera Mini 4.5, a low-end mobile browser intended for “featurephones.” Notably, it has a built-in private setting that keeps any login or data from being saved to the phone. For example, friends can log in and check Facebook without worries their log-in information will be retained. [GigOm]

Other Jurisdictions

WW – UN Report: State Surveillance Violates Rights to Privacy, Expression

The UN Office of the High Commissioner of Human Rights drew attention today to its recent report indicating state communications surveillance undermines the human rights to privacy and freedom of expression. “Concerns about national security and criminal activity may justify the exceptional use of communications surveillance,” said UN Special Rapporteur Frank La Rue. “Nevertheless, national laws regulating what constitutes the necessary, legitimate and proportional state involvement in communications surveillance are often inadequate or simply do not exist…Who are the authorities mandated to promote the surveillance of individuals? What is the final destiny of the massive amounts of the stored information on our communications? These questions urgently need to be studied in all countries to ensure a better protection of the rights to privacy and the right to freedom of expression.” [UNHR]

NZ – Media Release: Websites Leave Children and Parents Guessing

A recent scan of NZ school websites and some popular children’s game sites showed there is often no information given to users about how their personal information collected via the site will be used and shared. The scan was part of an international “internet sweep” day, involving the New Zealand Privacy Commissioner and other overseas data protection offices in the Global Privacy Enforcement Network (GPEN). The amalgamated international results from the GPEN internet sweep will be available in coming months. Further international and domestic action to encourage improved information for website users will be considered once final results of the sweep are known. [Source]

Privacy (US)

US – Should Political Campaigns Distribute Voter Data?

In the 2012 Presidential race, the Obama for America 2012 campaign wanted to send e-mail messages to supporters asking them to contact other potential supporters and provide personal information in order to facilitate such action. The campaign decided against it in the end. “We couldn’t do the whole experiment we wanted to do, because people were really worried about sending out personal information over e-mail,” said Rayid Ghani, chief scientist of the campaign. Ghani was one of the political advisers who spoke at a recent conference on political campaigns’ use of data mining [MediaPost]

US – Largest Privacy Class-Action Suit Ever?

Digital analytics firm comScore is the target of what could be the largest privacy class-action lawsuit ever, potentially amassing tens of millions of plaintiffs. A Chicago appellate court denied comScore’s request to overturn a lower court ruling on allegations the company’s software violates the Stored Communications Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and the Illinois Consumer Fraud and Deceptive Practices Act, the report states. ComScore says it will fight the allegations and that the case is filled with inaccuracies, noting, it has had little opportunity to “educate the court” on its practices. The plaintiffs are seeking injunctive relief and damages of $1,000 per violation. [AdWeek]

US – Veterans Affairs Taken To Task Over 2010 Breach

House Committee on Veterans Affairs (VA) Chairman Jeff Miller (R-FL) and Ranking Member Michael Michaud (D-ME) sent a letter last week to VA Secretary Eric Shinseki demanding answers to a number of questions raised during a recent committee meeting regarding hacking by foreign nationals of the VA computer network in 2010. Will the VA be offering credit protection services to every veteran and dependent in its database? Why are there discrepancies in how the breach is being described at differing times? Why was Congress apparently not notified of these security compromises? “The fact is that we don’t know what they took but I believe (the VA) had a responsibility to the men and women who served this country to notify them at the point that they knew they were hacked,” Rep. Mike Coffman (R-CO) told Federal News Radio.

US – LinkedIn Seeks Second Dismissal of Class-Action Suit

U.S. District Court Judge Edward Davila is for the second time this year considering a class-action suit brought by Virginia resident Khalilah Wright against LinkedIn, alleging the company duped premium subscribers by implying there would be extra security for those paying more and that they would not be exposed to the kind of breach that resulted in 6.4 million users having their passwords posted online. Wright’s first suit was dismissed in March , as Davila ruled she failed to show a connection between her extra dues and the implied extra security. Wright is back now with an expert who’s conducted a survey showing subscribers expect extra security for extra membership fees. [MediaPost News]

US – Lawyer Taking Street View Case to Appeals Court

The U.S. Court of Appeals for the Ninth Circuit will this week hear arguments aiming to bring sanctions against Google over its collection of personal data from WiFi networks via its Street View mapping project. “Although these home networks were not password-protected, the communications transmitted over them were private and not broadcast for public consumption,” Elizabeth Cabraser writes in her appellate brief. “Such communications are protected from prying eyes by the Wiretap Act, as amended by the Electronic Communications Privacy Act.” Google attorneys say the data upload was unintentional and not illegal because anyone can access unencrypted WiFi signals. [The Recorder]

US – Biz Concerned About COPPA Compliance

When it comes to complying with COPPA changes going into effect July 1, “Industry advocates paint a dire scenario of costly audits, abandoned projects and disrupted business models,” while privacy advocates and the FTC “view the expanded rules as vital to protecting kids.” The changes include requiring additional types of companies to get parental consent before collecting information from children under the age of 13. Additionally, the changes broaden the definition of personal information, which will now include photographs and videos. DLA Piper’s Jim Halpert suggests, “The proposed rule will likely dry up the market for behavioral advertising on child-directed sites.” [POLITICO]

US – Legislators Seek to Declassify FISA Court Opinion

US lawmakers have proposed legislation that would declassify some opinions from the Foreign Intelligence Surveillance Court, following the leak of information that indicated the court has been ordering telecommunications companies to turn over customers’ call records. Specifically, the bill seeks to require that the Justice Department declassify the FISA Court’s interpretations of the Foreign Information Security Act and the Patriot Act. On June 12, the FISA Court “granted a motion not to block disclosure of an earlier … opinion that declared parts of the NSA’s surveillance under Section 702 of the FISA Amendments Act to be unconstitutional.” The Electronic Frontier Foundation filed the motion in May. [ArsTechnica] [WIRED] [ComputerWorld] [US]

US – Google Wants to Disclose Data on FISA Court Orders

Google, Facebook, Microsoft, and Yahoo have asked the Justice Department to lift gag orders that prohibit the companies from discussing FISA Court orders requesting customer data. Google and other companies have begun publishing data about the number of national security letters (NSLs) they receive annually, although those figures are given in ranges of thousands, which was the agreement reached with government. NSLs may not request content, but FISA Court orders are not bound by the same restrictions. Google wants to publish the data to support its assertion that it does not allow the NSA to gather information through a secure portal or put the requested data in a drop box for federal agents to retrieve, as has been reported. Google has a team that reviews every FISA order. Typically, the company delivers the requested information by hand or sends it to the requesting organization through secure FTP transfers. Hand-delivered data would likely be hardcopy or put on a memory disk or external hard drive. [Washington Post] [WIRED] [WIRED] [] [Washington Post] [ZD Net]

US – Small Internet Businesses Head to Hill With Mozilla Topping Agenda

Small Internet publishers have been to Washington before to tell their story, but this time they are gathering with a singular purpose: to persuade lawmakers to put more pressure on Mozilla to change its plans for blocking third-party advertisers cookies by default in its Firefox browser. As many as 60 small Web companies will be visiting lawmakers this week as part of the IAB’s annual Long Tail Alliance Fly-In. Even though it’s the group’s fifth year on the Hill, this year they are more determined than ever to be heard. “The Mozilla plan has galvanized the small Web community. They haven’t been as passionate about policy issues as they are this year,” said Mike Zaneis, svp and general counsel of the IAB. “It’s an intermediary meddling in the business.” Although Mozilla announced earlier this month that it wouldn’t implement the default cookie blocker in its July release until it did more testing, small Internet websites still feel threatened. With fewer than 10 employees, often three-person operations, small Web publishers like and depend on advertising revenue from ad networks and can’t afford to be cut off. Ahead of the trek to D.C., more than 960 ad-supported Internet businesses have signed a petition on the Interactive Advertising Bureau’s website, warning Mozilla that if it goes ahead with the cookie-blocking browser, many of them will be forced to close. Already, four GOP lawmakers, Reps. Mike Pompeo (Kan.), Marsha Blackburn (Tenn.), Walter Jones (N.C.) and Jeff Denham (Calif.), sent a letter to Mozilla urging it to commit to not blocking third-party cookies by default because it would favor large Web publishers to the detriment of smaller ones. “The third-party cookies that Mozilla Firefox would block are what allow the U.S.-based Internet publishing industry to sustain original, free content on thousands of small business websites in every corner of America,” the four lawmakers wrote. [Source]


US – Oregon Passes RFID Privacy Bill

Oregon, HB 2386 A, “Relating to radio frequency identification devices; and declaring an emergency,” is currently awaiting Governor John Kitzhaber’s signature. The law, if signed, would require students or parents of students to be notified if RFID devices are to be used to track students in any way. Further, the law would allow students or parents of students to opt out of wearing or carrying any item using RFID technology. The State Board of Education is tasked by the law to create standards for all local school boards that incorporate these mandates. No school district may employ the use of RFID technology without notifying the State Board first, until the standards are in place. [Bill]


US – NSA Leaks Increase EU-U.S. Tensions

The recent leaks of the National Security Agency’s surveillance programs are increasing tension between the U.S. and EU. The Obama administration lobbied in 2012 to have certain measures removed from the proposed EU data protection regulation that would have “limited the ability of U.S. intelligence agencies to spy on EU citizens.” The Privacy Advisor’s continuing coverage of the recent leaks also looks at recent revelations by Google of how it shares user data when it receives national security requests, and more. [Financial Times]

US – Sen. Asks PCLOB to Investigate NSA Programs

At a Senate Appropriations Committee hearing on Wednesday, Sen. Tom Udall (D-NM) said he has sent a letter, with bipartisan support, to the Privacy and Civil Liberties Oversight Board (PCLOB) asking it to “make it a priority” to investigate the National Security Agency’s (NSA) dragnet phone surveillance and PRISM programs to determine whether they were “conducted within the statutory authority granted by Congress” and “take the necessary precautions to protect the privacy civil liberties of American citizens under the Constitution.” He also asks NSA General Keith Alexander if the NSA will work with the PCLOB. The Privacy Advisor, in this exclusive, reports on the investigation and the NSA head’s defense of its programs. [Source] [PCLOB To Meet on NSA Revelations] [Will the NSA Leaks Be a Boon for Privacy Technology?]

US – First Lawsuit Filed Over NSA’s Surveillance of Verizon Data

A lawsuit had been filed against Verizon, the NSA, President Barack Obama, Attorney General Eric Holder and others over the constitutionality of the NSA’s wide surveillance program, which was disclosed late last week. The lawsuit alleges that the surveillance program violates the US Constitution as well as a number of federal laws. [WIRED]

US – ACLU Asks FISA Court on Constitutionality of Section 215 of Patriot Act

The American Civil Liberties Union (ACLU) has filed a motion asking that the Foreign Intelligence Surveillance (FISA) Court “unseal its opinions evaluating the meaning, scope, and constitutionality of Section 215 of the Patriot Act.” That section allows the court to issue national security letters (NSLs) at the request of the government, which has to demonstrate only that the information sought is relevant to an “authorized investigation.” Senators Mark Udall (D-Colorado) and Ron Wyden (D-Oregon) last year wrote Attorney General Holder, requesting the declassification of the secret court ruling allowing the broader surveillance powers. [WIRED] [ACLU]

US – NSA Whistleblower Edward Snowden

Edward Snowden, who leaked the information about the NSA’s data gathering practices, is currently in Hong Kong. Snowden is a former CIA technical assistant and more recently worked as a contractor for the NSA through Booz Allen Hamilton. One of the Guardian journalists who originally reported the story said that Snowden is hoping to obtain asylum in Iceland because of the way that country dealt with WikiLeaks. Icelandic law requires that asylum applications be made from within the country. Snowden told The Guardian that “the government has granted itself power it is not entitled to. There is no public oversight.” He also said that he “do[es] not expect to see home again.” [CNN] [ArsTechnica] [Guardian] [Interview with Snowden]

US – Verizon and PRISM Defended

President Obama said that the program gathering data from Verizon is legal and that “nobody is listening to your telephone calls.” As for PRISM, President Obama said that the Internet and email information gathered “does not apply to people living in the United States.” Director of National Intelligence James R. Clapper said that “the information acquired [through the Verizon order] does not include the content of any communications or the identity of any subscriber.” Clapper also noted that the programs were reviewed by a court and were found to be legal. While some US lawmakers have decried the fact of the broad information gathering conducted by the government on its own citizens, many others appear reluctant to make changes to the current laws that allow the harvesting of information from Verizon and nine Internet companies. Legislators from both parties noted the benefits of the program. [NextGov] [CSO Online] [NextGov] [InformationWeek] [ZDNet] [Viviane Reding, the justice commissioner of the European Commission will be raising these concerns at a meeting with the US Attorney General, Eric Holder, at a meeting this week in Dublin.]

US – Internet Company Executives Deny Participation in PRISM

Executives at Google, Facebook, and seven other companies identified as participating in an NSA surveillance program known as PRISM have denied that they allow intelligence officials direct access to their servers and user data. The companies have denied knowledge of PRISM, although it’s likely that the program would have been referred to differently in that circle. There is speculation that the companies’ statements have been carefully scripted; many have similar language, including a denial that the government has “direct access” to the data. [Washington Post] [The Atlantic] [WIRED] [ComputerWorld]

US – PRISM Gives NSA Access to Data on Servers of US Internet Companies

It now appears that the National Security Agency’s (NSA’s) reach extends beyond just Verizon’s call records. According to information provided to The Washington Post by a career intelligence officer, the NSA and the FBI are mining data directly from the servers of nine major US Internet companies, including Microsoft, Apple, Yahoo, Google, Facebook, Skype, and YouTube. They are accessing a wide variety of content, including audio and video chats, photographs, email, and connection logs. The program is called PRISM and focuses on foreign communications traffic. Some of the companies have said that they are not aware of PRISM. Facebook chief security officer Joe Sullivan said that they “do not provide any government organization direct access to Facebook servers” and that when the company receives a request for data, it is carefully scrutinized to make sure laws are being obeyed and then they provide only the information that is required by law. Material from an April 2013 internal briefing on PRISM said that NSA reporting uses raw information gathered through PRISM for nearly one in seven of its intelligence reports. US legislators who were aware of the program were bound by oath not to speak of it, even during a floor debate in the Senate late last year on the FISA Amendments Act. [Washington Post] SEE ALSO: {NYT: How the U.S. Uses Technology to Mine More Data More Quickly]

US – FISA Order Requires Verizon to Provide NSA with Metadata on All Calls

According to a document obtained by The Guardian, the US Foreign Intelligence Surveillance Court issued an order forcing Verizon to provide the NSA metadata on all calls made through its systems over the three-month period between April 25 and July 19 2013. The data gathered includes phone numbers of both parties, IMSI numbers for mobile callers, calling card numbers used, and time and duration of calls. While the content of the calls is not recorded or gathered, in some cases the location of the parties on the call may be included through cell site data. Senators Ron Wyden (D-Oregon) and Mark Udall (D-Colorado) have been trying to drop hints about the extent of the surveillance program but have been bound by oath not to discuss it. The Obama administration is defending the program as a necessary tool to protect the country from terrorist attacks. [James R. Clapper, Director of National Intelligence has issued a statement on this particular issue] [The Guardian] [WIRED] [Ars Technica] [Court Order]

US – Bradley Manning Trial Begins

The court-martial of Army Pfc. Bradley Manning for offenses related to the leak of classified information has begun. Manning, who has been detained since his 2010 arrest, allegedly gave more than 700,000 government and military documents to WikiLeaks. Among the 22 charges Manning faces is a count of aiding the enemy, which could bring a life sentence without the chance of parole. [Washington Post] [Washington Post]

US – Whistleblower Comes to Light, U.S. Gov’t Defends Its Programs

Former technical assistant for the Central Intelligence Agency Edward Snowden has come forward in an online interview with The Guardian, speaking of his reasoning for handing over classified information about the National Security Agency’s PRISM online surveillance program. This comes amidst continuing national and international debate and discussion about online privacy and surveillance practices. The U.S. government defended the program, international reactions (including potential EU-U.S. trade implications), the potential impact on online behavioral advertising and how privacy experts and advocates are reacting to the news. [The Privacy Advisor] [PRISM’S Impact on Global Data Flows] [Tech Firms, Lawmakers Respond to NSA Leak] [NSA Implications for Gov’t, Ad Industry, Consumers] AND ALSO: [Poll: Majority Of Americans Comfortable With Surveillance]

EU – European Institutions Tracking Users Despite Law

European institutions are tracking website users in breach of EU data protection rules. European Data Protection Supervisor Peter Hustinx said institutions are aware and guidelines are being drawn up to deal with the problem. The admission of the problem came after recent reports of the U.S. National Security Agency’s (NSA) Prism scheme. Meanwhile, The New York Times reports on differing European reactions to news of the NSA surveillance program. [EurActiv]

UK – CCTV Code Comes Into Force Despite Privacy Concerns

The government’s 12-point plan to regulate the use of surveillance cameras has come into force, despite widespread concern that it does too little to protect the public from unwarranted invasion of privacy. The Surveillance Camera Code of Practice aims to balance the needs of law enforcement for CCTV footage with individuals’ rights to privacy. Under the code, CCTV operators are required to stipulate the purpose of the cameras and are expected to conduct annual reviews to ensure their use continues to be justified. The code also places restrictions of the storage of footage and demands access is tightly controlled. Forensic science regulator Andrew Rennison became the UK’s first surveillance camera commissioner last year and will work in conjunction with the information commissioner to encourage compliance with the code. The code of practice was first published last year, with a consultation programme running between February and March this year. According to the government’s own figures, nearly a fifth of respondents said they would not support the implementation of the CCTV code of practice. Many of those expressed concern over the limited number of authorities that it would cover, and doubts that private sector firms would voluntarily adopt it. Almost a quarter also said they did not think the code of conduct would create greater transparency from CCTV operators. The government said it would review whether more authorities needed to be covered by the code and whether further legislation was needed to cover the private sector by 2015. There have been growing concerns over the proliferation of CCTV devices, many of which are connected to the internet. Last year, researchers discovered that many CCTV systems used by businesses and home owners could be easily compromised, allowing would-be snoopers free reign to use the devices to spy on properties. [Source]

CA – Ajusto Campaign Explains Usage-Based Car Insurance

Launched this month in Ontario and Quebec, Ajusto is the first usage-based car insurance (UBI) program offered by a major insurer in Ontario (Indutrial Alliance Auto and Home Insurance offers a similar product in Quebec). Ajusto modifies drivers’ insurance premiums based on their actual driving habits using data from a small device installed in the client’s car. What that means for consumers: safe driving equals savings. UBI systems like Ajusto weren’t viable in the past because of the expense of producing telematics devices and the complexity of using them. Aviva trialed a UBI as far back as 2005, but it relied on the driver physically uploading telematics data to a computer and voluntarily sending it to the company, which turned out to be overly complicated. Côté said the technology has come a long way since then. Ajusto allows a driver to see their savings rate change each month by logging into a user dashboard on the site, he explained. [Source]

Telecom / TV

US – State Prosecutors Introduce “Save Our Smartphones” Initiative

A group of law enforcement officials, politicians, and consumer advocates aim to help fight the growing theft of smartphones, which has reached “epidemic” proportions, according to San Francisco District Attorney George Gascon. The group plans to ask the manufacturers of the most widely used devices – Apple, Google/Motorola, Microsoft, and Samsung – to develop features that make the phones less attractive to thieves. The announcement of the initiative came on the same day that Gascon and New York Attorney General Eric Schneiderman were hosting a Smartphone Summit with representatives from major smartphone makers. [CNET] [Washington Post] [NBC News] [ComputerWorld]

WW – Apple iOS7 Will Include Activation Lock Security Measures

Apple has announced that the newest version of its mobile operating system, iOS7, will include a “kill switch” feature to make iPhone less attractive to thieves. Users will need to provide a valid Apple ID and password before they are permitted to erase data or turn off the “Find My iPhone” feature. The same combination of Apple ID and password will be required to reactivate the device after it has been erased remotely. iOS 7 is expected to be available this fall. [CNN] [eWeek]

US Government Programs

US – Nude Scanners Removed, Advocates Still Displeased

In accordance with the June 1 deadline set by Congress, the Transportation Security Administration (TSA) has removed “nude” x-ray-based body scanners from U.S. airports. But privacy advocates remain dissatisfied, citing the TSA’s continued use of different full-body scanners that employ millimeter wave technology. The current scanners display a generic figure and pinpoint areas on the body where hidden objects have been detected. But Marc Rotenberg, executive director of the Electronic Privacy Information Center—which sued the TSA in 2010 over the scanners—says there are “lingering questions about whether the millimeter-wave devices are retaining images.” A TSA spokesman said the machines are programmed not to retain them. [Los Angeles Times]

US – GAO Investigating Data Brokers

Sen. Jay Rockefeller (D-WV) has commissioned a study of data resellers by the Government Accountability Office (GAO) to be completed in late summer. GAO Managing Director of Public Affairs Chuck Young says the organization is looking into “laws and regulations regarding the privacy of consumer information held by information resellers and what gaps, if any, exist in this legal framework” as well as key proposed options to improve consumer privacy. The Senate Commerce Committee and the Federal Trade Commission also have ongoing investigations of data brokerage firms. [AdAge]

US – DHS Defends Searches of Electronic Devices Without Reasonable Suspicion

The American Civil Liberties Union (ACLU) obtained DHS’s December 2011 Civil Rights/Civil Liberties Impact Assessment through a Freedom of Information Act (FOIA) request. Regarding border searches of electronic devices, the redacted document says that “imposing a requirement that officers have reasonable suspicion in order to conduct a border search of an electronic device would be operationally harmful without concomitant civil rights/civil liberties benefits.” The document observes that DHS has “been presented with some noteworthy Customs and Border Patrol and Immigration and Customs Enforcement success stories based on hard-to-articulate intuitions or hunches based on officer experience or judgment. Under a reasonable suspicion requirement, officers might hesitate to search an individual’s device without the presence of articulable factors capable of being formally defended.” [ArsTechnica] [WIRED] [Impact Assessment]

US – Man Drops Lawsuit Over Seized Laptop

A man whose laptop was seized by the US Department of Homeland Security (DHS) has dropped his lawsuit challenging the seizure. David Maurice House filed a lawsuit in May 2011, alleging that the seizure was motivated by his association with Bradley Manning. House was a founding member of the Bradley Manning Support Network. Data related to that organization, including donor information, were on the seized laptop. House said that the government has agreed to delete any copies of the data from his machine that it has made, and will give him notes agents made about the hard drive. DHS’s Department of Immigration and Customs Enforcement (ICE) seized the laptop, along with a thumb drive and a digital camera, when House returned from a trip to Mexico in November 2010. The equipment was kept for 49 days; regulations call for the equipment to be returned within 30 days. [WIRED]

US Legislation

US – Legislative Roundup

On May 28, in Oregon, HB 2654 officially became law. Going into effect Jan. 1, 2014, the law prohibits an employer from requiring or requesting employees or applicants for employment to provide access to personal social media accounts, to add their employer to a social media contact list or to allow an employer to view an employee’s or applicant’s personal social media account. It further prohibits retaliation by an employer against an employee or an applicant for refusal to provide access to accounts or to add an employer to a contact list. It similarly limits educational institutions.

On May 21, in Washington, SB 5211 officially became law. Going into effect July 28, 2013, the law prohibits employers from asking for social media log-in information, from engaging in a practice known as “shoulder-surfing” (essentially forcing an employee to log into a social media account while the employer looks on), from forcing someone to add an employer (or anyone else) as a social media connection and from forcing an employee to change privacy settings on an account.

Jackson Lewis rounds up the law’s implications and notable exceptions.

Washington and Oregon join Arkansas and Colorado in adding social media laws this spring.

New Jersey still awaits the fate of A2878, which was passed by the Assembly and Senate, only to be conditionally vetoed by Gov. Chris Christie earlier this year. Taking in the governor’s recommendations to eliminate a portion of the bill that would have allowed employees to sue employers who violated the law, a revised version of the bill unanimously passed the Assembly in late May and now awaits a vote in the senate. It appears likely the bill will eventually make its way to Christie’s desk and be signed into law. The law would prohibit any requirement to disclose user names and passwords or other means of accessing a social media account through any electronic communications device. [The Next Privacy Frontier: Geolocation]

US – California Legislature Wrangles With Social Media Privacy

In early May, the California Assembly followed an emerging national trend to protect more workers’ social media from employers’ prying eyes. On a 63-8 vote, the Assembly passed Assembly Bill 25, which would extend protections now given to private employees and job applicants to public employees and those seeking government jobs. The bill, by Assemblywoman Nora Campos, D-San Jose, prohibits employers from asking for user names and passwords as well as any other personal social media. But it’s drawing opposition from law enforcement groups and background investigators, who say the measure would ban many of the practices they use to disqualify applicants for such factors as drug use, gang affiliation and accessing child pornography. [Source]

US – Conn. Lawmakers OK Compromise Newtown Privacy Bill

Connecticut State lawmakers passed an 11th-hour compromise bill on the final day of the legislative session, preventing the release of crime-scene photos and video evidence from the Sandy Hook Elementary School massacre and other Connecticut homicides, concerned such records would be spread on the Internet. The bipartisan legislation came after days of closed-door talks and speculation about whether an agreement could be reached before the midnight adjournment. But once agreement was reached, the bill was quickly and overwhelmingly approved. It passed the Senate 33-2 shortly after 1:30 a.m. The House of Representatives then passed it a half hour later by a vote of 130-2. It now moves to Gov. Dannel P. Malloy’s desk for his signature. According to the bill, a new exemption is created under the state’s Freedom of Information Act. It prevents the release of photographs, film, video, digital or other visual images depicting a homicide victim if such records “could reasonably be expected to constitute an unwarranted invasion of the personal privacy of the victim or the victim’s surviving family members.” [Source]

US – Maine Lawmakers Pass Bill Requiring Warrant for Cell-Phone Tracking

Maine’s State Legislature has approved a bill that would require law enforcement to obtain a warrant from a court to access individuals’ cell-phone location data. If the bill becomes law, Maine would be the first state to impose such a requirement. The bill provides exceptions for emergencies, such as life or death situations or threats to national security. Law enforcement would also be required to notify people whose information was obtained within three days, but the time requirement can be delayed up to 90 days if a judge deems there is evidence that earlier disclosure could pose a threat to an investigation. [ComputerWorld]

US – Budget May Stop Maine Bill Requiring Warrant for Geodata

Maine’s House and Senate have both essentially passed LD 415, An Act To Require a Warrant To Obtain the Location Information of a Cell Phone or Other Electronic Device. LD 415 would do basically what its title says, with some 90-day delay allowances at the discretion of a judge. However, the bill does not yet sit on the governor’s desk awaiting signature. Because the bill has been assigned a fiscal note of roughly $234,000 over the next two years, it now sits with the Appropriations Committee, which must decide whether there is funding in the budget to cover the expense. [Source]

Workplace Privacy

US – NB Workplace Random Alcohol Tests Rejected by Top Court

The Supreme Court of Canada has overturned a company’s right to impose mandatory, random alcohol testing on its unionized workers in a dangerous workplace. In a 6-3 decision released, the court ruled the policy unilaterally adopted by Irving Pulp and Paper Ltd. in Saint John in 2006 for employees in safety sensitive positions is unreasonable. A dangerous workplace is not automatic justification for random testing, the court ruled in the case, which dealt narrowly with unionized workers and management’s ability to balance privacy rights with the need for safety in dangerous workplaces. The decision says dangerousness of a workplace only justifies testing particular employees in certain circumstances:

> Where there are reasonable grounds to believe an employee was impaired while on duty.

> Where an employee was directly involved in a workplace accident or significant incident.

> Where the employee returns to work after treatment for substance abuse.

“It has never, to my knowledge, been held to justify random testing, even in the case of ‘highly safety sensitive’ or ‘inherently dangerous’ workplaces like railways and chemical plants, or even in workplaces that pose a risk of explosion, in the absence of a demonstrated problem with alcohol use in that workplace.” [Source] SEE ALSO: [US: Employers and Schools that Demand Account Passwords and the Future of Cloud Privacy]

US – Hospitals Use Cameras, Sensor Tags to Track Hand Washing

Summerville Medical Center, a 94-bed acute-care hospital in South Carolina, is having employees wear sensor tags to determine who is washing their hands before and after coming into contact with patients. The technology was first rolled out in the medical center’s intensive care unit in the spring of 2012 and then expanded to its surgery units and the emergency room. Developed by GE Healthcare, the sensor tags are called AgileTrac RTLS (Real-Time Location System). The automated system supporting the RTLS tags collect up to 5,000 data points a day, compared with 700 per year with manual observation by staff. Each hospital caregiver wears a badge-like sensor tag that counts room entries and exits as well as the use of soap or sanitizer dispensers. The data collected from the system is used to model and characterize clinician-patient interactions, providing detailed data to help monitor and modify behavior. North Shore University Hospital on Long Island uses motion sensors to activate remote cameras that track when caregivers enter an intensive care room. The video cameras transmit the images to India, where workers for Arrowsite, a Web-based application services provider, check to see if clinicians are properly washing their hands. [Source]


16-31 May 2013


CA – Stoddart: PIPEDA Reform, Enforcement Powers Needed

Privacy Commissioner Jennifer Stoddart, wrapping up 10 years in her office this year, used her keynote address at the IAPP Canada Privacy Symposium in Toronto to lay out her recommendations for reforming the Personal Information Protection and Electronic Documents Act. In short, amendments should include stronger enforcement powers, mandatory data breach reporting, teeth behind accountability and increased transparency measures. [Source] [Canada’s privacy laws inadequate for digital age, watchdog says] See also: [Commissioner Cavoukian marks 25 years of innovative access and privacy leadership in Ontario] and [Ontario power plant cancellations: Information watchdog Ann Cavoukian scolds Liberals for deleting emails]

CA – Government Went Too Far in Surveillance of First Nations Advocate: Report

The federal privacy commissioner says two government departments went too far in their monitoring of a First Nations children’s advocate and her personal Facebook page. Commissioner Jennifer Stoddart was looking into a complaint from activist Cindy Blackstock, executive director of an organization fighting the federal government in court over First Nations child welfare programs. Stoddart says the Department of Aboriginal Affairs and the Department of Justice violated the spirit, if not the intent, of the Privacy Act by compiling information from Blackstock’s personal Facebook page. Both departments have agreed to cease and desist their monitoring, destroy personal information not directly linked to federal policy, and set up a new system to make sure such surveillance does not happen again. The privacy commissioner found no merit to two other privacy complaints from Blackstock. [Source] See also: [Jeffrey Delisle case: CSIS secretly watched spy, held file back from RCMP]

CA – Top Court Won’t Hear Case For Sperm-Donor Dad’s ID

The Supreme Court of Canada will not hear an appeal from a woman who wanted to know the identity of her sperm-donor father. The appeal court said she has no constitutional right to information about her biological father. The court said providing such information would amount to state intrusion into the lives of many people. As usual in such decisions, the Supreme Court gave no reasons for refusing to hear the appeal. [Source]

CA – Security Breach Legislation Suffers Another Setback

The Harper government’s opposition to a private members bill calling for mandatory security breach notification is embarrassing, says privacy expert Michael Geist It’s been nearly two years since the government introduced Bill C-12, its proposed legislation featuring security breach disclosure notification and it looks legislators are nowhere near coming up with a meaningful reform of the country’s online privacy law, according to an Ottawa-based Internet law expert. Conservative MPs in the House of Commons last week opposed a security breach disclosure bill (Bill C-475) introduced by New Democratic Party MP Charmaine Borg even if it was “roughly similar” to their party’s own Bill C-12. “The opposition to meaningful privacy reform is particularly discouraging given the thousands of breaches that have occurred in recent years from within the government itself and its claim to be concerned with the privacy of Canadians,” he wrote in a blog this week. Both Borg’s Bill C-475 and the Conservative’s Bill C-12 include notification requirements to the Privacy Commissioner of Canada in the even organizations suffer certain security breaches. [Source]

CA – Online Surveillance Bill Would Have Unlocked Personal Secrets: Report

The Canadian Press reports on a new study by the Office of Privacy Commissioner Jennifer Stoddart indicating that a bill that would have given police more information about Internet users would have “unlocked numerous revealing personal details.” The report found that the online surveillance bill would have acted as “a digital key” to an individual’s details, Stoddart said, adding, “In general, the findings lead to the conclusion that, unlike simple phonebook information, the elements examined can be used to develop very detailed portraits of individuals, providing insight into one’s activities, tastes, leanings and lives.” The government dropped the bill earlier this year following widespread criticism. [Source]

CA – SK Commissioner Concerned About Securities Amendment Act

Saskatchewan’s information and privacy commissioner says he remains concerned that a bill passed by the provincial government this spring (Bill 65, The Securities Amendment Act, 2012) creates a new right of privacy for corporations. “Privacy law 101 — just a key foundational principle — is that privacy is uniquely the right of an individual. Corporations cannot have a right of privacy. And yet the bill that’s just been passed in fact indicates that corporations do have a right of privacy.” Dickson says the bill “specifically carves certain records out from the scope of the Freedom of Information and Protection of Privacy Act” and the issue could lead to confusion around privacy law in the province. He also speculated that the change “could be exploited” and corporations could now argue that they have a right of privacy. Dickson says his office was never consulted about Bill 65, but has been raising red flags about it since March. He expected a house amendment would address the issues he raised. Instead, his concerns were dismissed — he believes incorrectly — when the bill reached the committee stage.[Source]


US – How Data Access May Improve Consumer Confidence

With the increasing data collection capabilities by mobile carriers and household energy suppliers, among others, consumers have difficulties accessing their personal data. “Never mind all the hoopla about the presumed benefits of an ‘open data’ society,” the article states, “In our day-to-day lives, many of us are being kept in the data dark.” Future of Privacy Forum Director Jules Polonetsky, CIPP/US, said consumers may feel more comfortable about having their personal data mined if businesses demonstrate direct consumer benefits arising from collection. [The New York Times]

US – Teens Post More but Manage Privacy Settings

A new Pew Research Center survey indicates that teens are posting more about themselves on social networking sites but are also taking formal and informal steps to manage their online privacy and reputation. The research canvassed 802 individuals between ages 12 and 17 and their parents. 60% of Facebook users used the highest privacy setting while 14% said their Facebook pages are public. Co-director Larry Magid said, “The idea that young people will post anything is not true” and many are “thinking about whether this is something I’d want my grandmother, a college administrator, an employer or a future boyfriend or girlfriend to see.” [USA TODAY]

US – States Drop Out of Tracking Database

Officials in several states are backing away from a $100 million database intended to track students from kindergarten through high school. The database was launched this spring and stores student data including test scores, learning disabilities and discipline records. But parents and civil liberties groups have raised concerns about potential privacy breaches. Louisiana’s superintendent of education withdrew student data from the database in April and plans to hold public hearings on data retention and security. New York, Illinois and Colorado are active participants. The mother of a 10-year-old public school student said the thought of her son’s medical treatments being stored on the cloud indefinitely “feels like such a violation.” [Reuters]

US – Do College Kids Care About Privacy?

USA TODAY explores whether college students are concerned about the personal information businesses access about them as online games, streaming services and social networking sites increasingly give third parties access to the online data they’ve collected. Woody Hartzog, assistant law professor at Alabama’s Samford University, said, “Young people don’t think about privacy of information to third parties. When they get older, it becomes more real. It largely stems from young people not thinking about their information being given to third parties, and maybe not caring.” [Source] [PEW Internet Study]

WW – Teenagers Care More About Online Privacy Than You Think

New research by the Pew Research Center and the Berkman Center for Internet Society reveals that teens are surprisingly shrewd about protecting their personal data on social networks The joint paper found that teenagers are sharing more and more personal information online: 91% of teenagers post at least one photo of themselves (up from 79% in 2006), while 71% post their school name (up from 49%), 53% post their email address (up from 29%), and 20% post their cell phone number (up from 2%). At the same time, teenagers are more and more cautious as to who sees this information: about 60% of teen Facebook users set their profiles to private (friends only), and most report high levels of confidence in their ability to manage their settings. Today’s teenagers are, in the eyes of Pew, walking contradictions, increasingly open despite their understanding of privacy risks (and mastery of the tools needed to combat them). So what explains the privacy paradox? Teens care about privacy in a social context, not a big data context. [Source]

US – P&G Partners with Eye-Tracking Firm

Proctor & Gamble (P&G) has announced a European-based partnership with eye-tracking firm Sticky. The company has been trialing the eye-tracking service and making decisions to cancel ads based on those that aren’t getting seen. “Applying Sticky’s tracking to our digital media campaigns will help us to optimize and increase our ROI on digital marketing investments in some campaigns up to 25%,” said P&G’s head of digital. Sticky uses webcams to record eye movements from page to page. [Adweek]


US – IRS Probe Brings Section 6103 into Limelight

As U.S. lawmakers investigate actions by the Internal Revenue Service (IRS) that may have targeted conservative nonprofit groups, some of the fact-finding, is being hampered by Section 6103 of the tax code, which establishes taxpayer privacy rights. Passed by Congress in 1976 after it came to light that Richard Nixon wanted to audit his political opponents, 6103 creates an assumption that taxpayer information is private unless it is needed for a specific investigation targeted at that individual. In the case of the current probe, since it is the IRS, itself, that is under investigation, many congressional questions can’t be answered directly by the IRS, as the answers involve private taxpayer information [Bloomberg]

See also: [US: Data breach puts DHS employees at risk of identity theft]

AU – House Removes Parliamentary Departments from FOI Scrutiny

The Parliamentary Service Amendment (Freedom of Information) Bill 2013 sailed through the Australian House of Representatives in 11 minutes flat. Not a query or concern from any quarter. If they stick together the two major parties have the numbers to push this through the Senate. The bill amends the Parliamentary Service Act 1999 to remove the parliamentary departments and office holders from the Freedom of Information Act 1982. Completely and retrospectively. The Australian Information Commissioner in 2012 had issued guidance that the departments were agencies subject to FOI, and had been since 1999, something overlooked by all and sundry.[Source]

Electronic Records

US – Hospital Creates Portal to Protect Teens’ Data

In an effort to address concerns over children’s privacy when it comes to their personal health records (PHR), Boston Children’s Hospital (BCH) has developed a custom-built PHR portal with separate accounts for patients and their parents. While children’s PHRs are generally controlled by their parents, teenagers have a right to privacy regarding the information they share with physicians, according to BCH’s Fabienne Bourgeois. “The parent has sole access to the patient’s portal until the patient turns 13, at which point both the parent and the patient can have access,” Bourgeois reports. At 18, access is restricted to the patient. [InformationWeek] See also: [Commissioner Cavoukian Commends Government of Ontario for Clarifying Privacy Rights for Electronic Health Records] ANd [Ontario Strengthening Patient Privacy] [ON: City’s disciplinary action not protected: privacy commission]


US – Magistrate Reverses Ruling, Requires Man to Decrypt Storage Devices

US Magistrate William Callahan Jr. has ordered a Wisconsin man suspected of possessing child pornography to decrypt hard drives that law enforcement authorities seized from his home. In early April, Callahan ruled that to order Jeffrey Feldman to decrypt the devices would be a violation of his Fifth Amendment rights. At that time, prosecutors had been unable to crack the encryption on any of the devices. But since that ruling, prosecutors managed to decrypt a portion of one of the devices and found content linking Feldman to them. So Callahan reversed his order, writing, “the government has now persuaded me that it is a ‘foregone conclusion’ that Feldman has access to and control over the subject storage devices” and that “Fifth Amendment protection is no longer available to” the defendant. Callahan has ordered Feldman to either provide prosecutors with the passwords necessary to decrypt the data storage devices or provide decrypted copies of everything on those drives. [WIRED] [ComputerWorld] [WIRED] SEE ALSO: [Washington Post] [Forbes] [Cryptome]

WW – Google Will Upgrade SSL Encryption Keys

By the end of 2013, Google plans to upgrade all of its SSL certificates to 2048-bit keys. The change is scheduled to begin in August. Google plans to upgrade its root certificate as well. Certain client software embedded in devices like phones, gaming consoles, and cameras could run into problems with the upgrade; Google has offered advice to help mitigate those issues.[Ars Technica] [h-Online] [ZDNet] [ComputerWorld]

EU Developments

EU – New Data Protection Rules at Risk, EU Watchdog Warns

European Data Protection Supervisor Peter Hustinx highlighted the need to “distinguish the proposal from the rhetoric” in light of the lobbying around the proposed data protection directive. Hustinx addressed the media after delivering his annual report to the European Parliament’s Civil Liberties, Justice and Home Affairs Committee in order to acknowledge the importance of passing the legislation. Failure to do so before the end of Parliament’s tenure would “have serious repercussions in terms of economic development,” said Hustinx. German Rapporteur Jan Philip Albrecht told EUObserver of his concerns that the EU may end up with weaker legislation than it has now—contravening a 2011 vote to create a law at least as strong as, if not stronger than, the 1995 directive. [EurActive]

EU – The Regulation, Its Future and Questions on Profiling: A Roundup

A look through EU headlines from the past week yields a consistent theme: the proposed data protection regulation. Reports highlight concerns voiced by European Data Protection Supervisor Peter Hustinx and German Rapporteur Jan Philip Albrecht as well as worries from charitable organizations that the regulation could impact their ability to reach donors. As Field Fisher Waterhouse’s Eduardo Ustaran, CIPP/E, notes in his recent blog on the regulation and the issue of profiling, “The Working Party appears to sit somewhere in the middle between the commission’s proposal and Albrecht’s approach. That is still a very strict position to adopt, clearly aimed at eliminating the perceived risks of profiling…” [The Privacy Advisor] [Euro-deputies diverge on data protection details] [KPMG: 51% of organisations in UK fail to comply with EU cookie law]

EU – DPA Defines Obligations for Data Breaches

Stefano Taglibue reports on the Italian Data Protection Authority’s (Garante) recent decision defining obligations for telephone companies and Internet service providers regarding potential data breaches. Under the definition, providers must notify the Garante of a breach within 24 hours. Fines of up to 100,000 euros may be issued for failure to notify and of up to 1,000 euros per individual involved for failure to communicate the event to those involved, Taglibue writes. [The Privacy Advisor]

EU – Working Party Explains BCRs for Processors

The Article 29 Working Party has issued an explanatory document on Binding Corporate Rules for processors in response to the outsourcing industry’s request for a legal tool that reflects data-transfer practices today. The document includes clarity on such issues as onward transfers, cooperation and legal enforceability. [The Privacy Advisor]

EU – Ireland: Data Subject Told “Prove Your Loss”

The Irish High Court recently decided that for damages to be recoverable by a data subject for breaches of the Data Protection Acts, the data subject must prove that he suffered loss as a result of the breaches. In the case of Michael Collins v FBD Insurance plc, Mr Collins was awarded damages of €15,000 by the Circuit Court for 4 breaches of the Data Protection Acts by the defendant insurance company. The breaches arose out the manner in which a private investigator obtained and processed personal data of the plaintiff, including a criminal conviction, on behalf of the insurance company defendant, and the failure by the insurance company to respond to data access requests in a timely manner. The only question for the High Court was, in order for the plaintiff to be entitled to damages for breach of section 7 of the Data Protection Acts, did the plaintiff have to prove to the court that he had suffered loss or damage arising from the breaches of the Act. This case will be of some assistance to data controllers and processors in determining what their exposure will be arising from their breaches of the duty of care owed to data subjects under the Data Protection Acts. [Source]

EU – Commissioner Dislikes Xbox’s View Into the Living Room

Germany’s federal data protection commissioner says he’s “unsettled” by Microsoft’s new Xbox One console, launched by the company last week. Commissioner Peter Schaar says the box “records all sorts of personal information” that could be recorded and transferred to third parties. “The fact that Microsoft is now spying on my living room is just a twisted nightmare,” Schaar said. Microsoft says it is not using the box’s system to “snoop on anybody at all.” [Slate]

EU – In Denmark, Online Tracking of Citizens is an Unwieldy Failure

Five years ago, Denmark passed a law requiring telecommunication companies to retain and store customers’ personal data for up to one year. Now, the telecom industry and advocates are calling for changes to the law, citing “an unjustifiable invasion of privacy.” Police say the law hasn’t helped them track criminals, but the Danish government wishes to delay a review of the law for two years. [TECHPRESIDENT]

EU – Google, Microsoft, Yahoo Secret Backers of European Privacy Association

The European Privacy Association (EPA) has revealed that several U.S.-based tech companies are backers. Last week, the Corporate Europe Observatory (CEO)—a watchdog that “works to expose privileged access in EU policy making”—filed a complaint stating the EPA, while working to represent industry interests in EU data protection reforms, did not list any backers on the EU Transparency Register, the report states. A CEO representative said the group’s name conflicts with its pro-industry stance, creating a “confusing…mismatch.” In a press release, the EPA said, “We are immediately clarifying such discrepancies” to ensure that they’re “in line with the guidelines of the European Union.” [IDG News Service]

UK – Court: Compensation Only if Damages Are Due To Breach of DPA

The England and Wales Court of Appeal recently ruled that businesses “do not have to pay compensation for causing distress to consumers if they break data protection laws unless the distress suffered by consumers is linked to the breach itself.” The ruling stemmed from a customer’s complaint that upon receiving damages from a breach case, the finance company involved placed his settlement in a closed account and entered incorrect information about him in their systems indicating his account was in arrears—which was shared with a credit scoring agency. The customer claimed the company had breached the terms of the district court order and asked the court for further damages, prompting the court’s ruling. []

UK – Commissioner: Serious Breach Offenders Deserve Prison Time

UK Information Commissioner Christopher Graham says people who misuse personal information should face tougher penalties, including prison time, citing a recent case in which a community health manager took personal data from the health center to use for his own fitness company. The man e-mailed data on 2,471 patients to his personal account, and soon thereafter, patients approached by the man began to complain. The man was fined 3,000 GBPs and ordered to pay other legal costs. Graham said the government “must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.” [Public Service]

EU – Garante Issues Fines Totaling 800,000 Euros

The Italian Data Protection Authority (Garante) has issued three orders of injunction against two IT companies—specialized in the data bank sector—and a telecom operator obliging them to pay fines equal to 800,000 euros for violating prescriptive measures already adopted toward them in 2008. “The two companies specialized in the data bank creation had created and sold data banks containing tens of millions of people’s personal data, without having both informed data subjects and acquired their consent,” explains Rocco Panetta. The companies will have to pay fines of 100,000 euros and 400,000 euros, respectively, and the telecom will pay a fine of 300,000 euros. Further orders of injunction are expected against other companies. [The Privacy Advisor]

EU – Facebook Appoints New Privacy Counsel, Gets OK from DPA

Irish Data Protection Commissioner Billy Hawkes says he’s satisfied with the work Facebook has done to meet a four-week deadline to comply with recommendations on improving user privacy. Had the company failed to comply, it would have faced fines of up to 100,000 euros. Following an audit by Hawkes’ office, the company had implemented changes to transparency and user controls, but a number of the office’s recommendations had not been met, prompting the four-week deadline. Facebook has also announced the appointment of a lead data protection and privacy counsel to its Dublin headquarters. [the Independent]


UK – ISPs Block Two More Sites Accused of Enabling Piracy

To comply with a court order obtained by the Motion Picture Association (MPA), major UK ISPs have begun blocking two websites that have been accused of allowing downloads of pirated movies. There are now six sites for which industry groups have obtained court orders requiring blocks. The British Phonographic Industry (BPI) has named 25 sites it would like to see be blocked for aiding illegal downloads of popular music. [BBC] [CNET]

AU – Australian Government Shuts Down 1,200 Sites in Effort to Target Just One

In an attempt to block a website believed to be associated with a financial scam, the Australian government shut down 1,200 other sites that were unrelated to the targeted site expect for the fact that they were hosted on the same IP address. Although the Australian government was not initially forthcoming with information the source of the block request, it was finally revealed that the sites had been blocked at the request of the Australian Securities and Investment Commission (ASIC), the country’s financial regulator. The block was requested because the site was believed to be in violation of the Telecommunications Act 1997, which obliges service providers “to prevent telecommunications networks and facilities from being used in, or in relation to, the commission of offences against the laws of” Australia. All the other sites were affected because ASIC gave ISPs the IP address of the shared server on which the site was being hosted instead of the suspect site’s specific domain name. [Ars Technica] [SMH]


CH – Switzerland Eases Bank Privacy Law

Following requests by the U.S. government for information about potential tax cheats, the Swiss government has agreed to ease its privacy laws and allow banks to disclose information on U.S.-based clients to the Internal Revenue Service (IRS). Swiss banks will now be able to deliver client details to the IRS, along with any fines that might be appropriate, in exchange for amnesty from further U.S. indictments. In order for the agreement to proceed, the U.S. would have to ratify a new taxation treaty between the two countries. [The Boston Globe]

EU – EU Sets Deadline for Bank Data Sharing

“EU leaders have agreed that the automatic sharing of individuals’ bank account data, a key measure to prevent tax evasion, should become law across all member states by the end of the year.”. The report references EU President Herman Van Rompuy’s comments at a press conference calling for “member states to complete adoption of regulation covering private savings aimed at ending bank secrecy.” The report follows comments by French President Francois Hollande noting EU countries will start working on an automatic exchange of tax information. [AAP]

WW – Privacy and Data Security: Why Should Investors Care?

As data increasingly becomes the lifeblood of many businesses, the ability to shield and protect that data from mismanagement, hackers and cyberespionage is not only “vital to consumers” but also “critical to investors in publicly held U.S. companies”. “We believe boards have a fiduciary and social responsibility to protect company assets,” they write, “including personal information.” Meanwhile, a new survey reveals that 31% of European businesses have experienced a cyberattack in the last year. Consero Group Founder and CEO Paul Mandell says, “Confidence in information security is likely diminished by the high level of publicity surrounding recent cyberattacks and will likely continue to decline before it gets better.” [The Guardian]

US – Tea Party Group Sues Tax Collectors for Privacy Breach

The NorCal Tea Party Patriots, a northern California-based advocacy group, sued the U.S. Internal Revenue Service for allegedly breaching its federal privacy rights and the rights of like-minded organizations. The IRS has acknowledged that employees in its Cincinnati office targeted for special review groups seeking tax-exempt status as social welfare organizations that were also advocates for limited government and free markets. President Barack Obama has called the conduct “outrageous.” Four congressional committees are reviewing the matter and acting IRS Commissioner Steven Miller resigned. “Under pain of denial of tax-exempt status, the IRS and its agents singled out groups like NorCal Tea Party Patriots for intensive and intrusive scrutiny,” the group alleged today in a complaint filed at the U.S. court in Cincinnati. It seeks group status for “all conservative and libertarian groups targeted for additional scrutiny” between March 2010 and May 2013, together with unspecified money damages for the alleged violation of their constitutional rights and costs of compliance with the unlawful demands. The case is NorCal Tea Party Patriots v. The Internal Revenue Service, 13-cv-00341, U.S. District Court, Southern District of Ohio (Cincinnati). [Source]

US – IRS Sued for Allegedly Stealing EHRs  of 10 Million Individuals

A lawsuit filed in California alleges that the US Internal Revenue Service (IRS) violated the Health Insurance Portability and Accountability Act (HIPAA) when it seized electronic health records belonging to 10 million US citizens. The lawsuit, filed by an attorney on behalf of a corporate client identified as John Doe Co., alleges that when the 15 IRS agents raided the company in March 2011, they did not have a search warrant or a subpoena. The seized records include “information about treatment for any kind of medical condition, … and a wide range of medical matters covering the most intimate and private of concerns.” The seized data were in electronic format and were allegedly taken in connection with an investigation into “a tax matter involving a former employee of the company.” The lawsuit is seeking monetary damages as well as a court order requiring the IRS to return the records and remove them from their databases. [NextGov] [Actual Suit]


CA – Alberta Putting Raw Data Online for Study, Business

Who knew that compared with the rest of Canada, Alberta is a Y chromosome extravaganza, with 101 men for every 100 women? Or that there were six cases of mumps in 2012, that 19% of Alberta men say they binge drink, and that we share the road with more than 3,000 licensed drivers aged 90 or over? And that in Alberta, Big Tobacco isn’t giving up without a fight. In the past decade, the number of men who smoke has remained steady at 20%. The data is among the reams of charts, graphs and searchable tables launched by the Alberta government for intrepid researchers and entrepreneurs to either learn from or spin into commercial gold. Service Alberta Minister Manmeet Bhullar said the service is called the Open Data Portal. “It provides Albertans with a single access point for all publicly available provincial government data.” [Source]


CA – Alberta Police Representatives Push For DNA Tests Upon Arrest

Along with fingerprinting and photographing, cops should be also be able to swab suspected criminals’ cheeks for DNA as part of the routine booking procedure, police representatives in Alberta say. Armed with its “Legislative and Police Strategy Targeting Repeat and High Risk Offenders,” the Alberta Federation of Police Associations recently went before federal MPs to call for reforms in DNA collection, parole authorization and other areas of law enforcement. Chief among the items in the proposal is changing the point of DNA collection from the point of conviction — and subsequent court order — to the time of arrest. The thinking, according to newly elected federation director Paul Wozney, is to speed up potential solving of other cases, cut down on the “maze” of court procedures to obtain a warrant for DNA, and expand the list for when a cheek swab can occur to include any indictable offence. [Source] SEE ALSO: [The Art of Turning Discarded Chewing Gum Into Your Portrait]


WW – Google Unveils Object-Recognition Feature

Google’s latest rollout is an object-recognition feature that has thus far flown under the radar. “Photo Search with Visual Recognition” allows users to search for an object on Google’s network and view all photos taken of that object by people in their Google+ circles, the report states. “Of course, the privacy-invading nature of social network ‘upgrades’ has now become such old news that the Google+ feature may go off without a hitch,” the report states, noting, however, that the feature does somewhat mitigate privacy concerns by only allowing searches within established circles. [The Huffington Post]

US – Congress Wants Answers on Google Glass

Eight members of Congress have sent Google CEO Larry Page a letter requesting answers on the privacy implications of Google Glass. “We are curious whether this new technology could infringe on the privacy of the average American,” said Rep. Joe Barton (R-TX), chairman of the bipartisan privacy caucus, on behalf of his colleagues. Google has until June 14 to respond to the inquiry, though a spokesman has written, “We are thinking very carefully about how we design Glass because new technology always raises new issues.” [National Journal]

Health / Medical

CA – HIMSS Analytics Report Finds Hospitals Facing Data Access Challenges

A new study titled “Streamlining Workflows and Access to Patient Data in Canadian Hospitals,” commissioned by Imprivata, specifies how EHR adoption can impact workflow efficiency and data access, and identifies single sign-on (SSO) technology as one of the solutions to streamline access to clinical systems and patient information. Several key barriers to enabling clinicians to seamlessly access patient data are identified in the study, including:

  • Lack of integration between electronic systems
  • Frequent inability to access information quickly
  • Privacy and security concerns. [Source]

US – Smartphone Tracker Gives Doctors Remote Viewing Powers is a company spun out of the MIT Media Lab, whose app of the same name is in trials with hospitals across the country. The smartphone app logs all activity on a patient’s phone and transmits the data to the hospital, where it can be monitored. “Now,” says cofounder and CEO Anmol Madan, “the doctor or nurse can get a sense of the patient’s life and help as needed.” The app automatically notes changes in phone-use patterns and sends alerts when they are detected, which can keep patients who generally care for themselves at home from suffering dire consequences if they deviate from prescribed medication or therapy. [MIT Technology Review]

Horror Stories

US – Hacker Pleads Guilty, Faces 10 Years

A member of hacker group “Anonymous” has pleaded guilty to hacking a private intelligence firm and several websites. 28-year-old Jeremy Hammond has admitted to assisting in the December 2011 attack on Stratfor Global Intelligence Service as well as hacking the Arizona Department of Public Safety, the Boston Police Patrolmen’s Association, the FBI’s Virtual Academy and an Alabama sheriff’s office. He faces up to 10 years in prison. Hammond said he committed the acts, which gathered the credit card and other personal information of more than one million people, in the name of greater transparency because people “have a right to know what governments and corporations are doing behind closed doors.” [The Huffington Post]

UK – ISU to Pay $400,000 Breach Fine

The Department of Health and Human Services (HHS) has released a resolution agreement following Idaho State University’s (ISU) HIPAA violations dating back to August 2011. ISU will pay $400,000 in penalties for exposing data on 17,500 patients by disabling a firewall for at least 10 months, the report states. HHS found ISU committed violations including failing to conduct a risk analysis of the confidentiality of its electronic personal health records and failing to implement sufficient security measures to reduce risk. ISU has entered into a corrective action plan agreement with HHS. [Health IT Security]

US – Data Breach Puts DHS Employees at Risk of Identity Theft

The U.S. Department of Homeland Security (DHS) has revealed that a vulnerability in a vendor’s system may have exposed the Social Security numbers and dates of birth of tens of thousands of its employees. A DHS spokeswoman said the data was stored in the vendor’s database of background investigations and may have been accessible as far back as July 2009. Meanwhile, the Maine Attorney General’s Office has issued an alert to people who have purchased tickets through online service Vendini. According to the company, a server containing the names, addresses, e-mail addresses, credit card numbers and expiration dates of tens of thousands of people—including many Maine residents—was breached. [Federal News Radio] See also: [NZ: Stalling on privacy report fuels speculation]

US – Reporters Use Google, Find Breach, Get Branded as “Hackers”

Two telecoms are calling Scripps Howard News Service reporters hackers after the reporters discovered the personal data of some 170,000 users of a subsidized cell phone program online. The telecoms claim the reporters violated the Computer Fraud and Abuse Act by using sophisticated and “automated” means to uncover the records, but the reporters say they found the data through a Google search. The data included applications for the Federal Communications Commission’s (FCC) Lifeline program—which contained Social Security numbers—collected for telecoms YourTel and TerraCom by Vcare. FCC regulations bar telecom providers from retaining this data, but, according to the report, Vcare had the applications stored on its servers and posted to an open file-sharing area. [Ars Technica]

WW – Breach May Have Exposed 22M IDs

Yahoo Japan released a statement on Friday that a file with 22 million login names may have been exposed. “We don’t know if the file was leaked or not, but we can’t deny the possibility, given the volume of traffic between our server and external terminals,” the statement notes. The company has posted information related to the breach on its homepage and is contacting those affected, the report states, noting the unauthorized access was discovered on Thursday and could affect 10% of the company’s user base. [InformationWeek]

WW – First Return on Investment (ROI) Analysis for the Critical Security Controls

John Pescatore compares Idaho State University’s (ISU) projected cost of settling HIPAA violations with the US Department of Health and Human Services (HHS) to what it would have cost the university to implement security controls that could have (helped) protect its systems from breaches. The estimated cost to ISU, including the fine, the costs of managing the breach, and the implementation of a Corrective Action Plan is US $1 million over two years. Putting in place certain Critical Security Controls that would have detected the issue that exposed patient data would cost an estimated US $75,000. Even adding in extras like vulnerability assessments and monitoring would put the cost at US $500,000, equivalent to one year’s share of the above cost. [SANS]

US – Drupal Resets Passwords After Breach has reset all account passwords after discovering that intruders had gained unauthorized access to information on its servers. The intrusion was made through unspecified third-party software on the organization’s servers. Nearly one million accounts are affected. [H-Online] [ZDNet] [Ars Technica] [ComputerWorld]

US – Reporters Who Discovered Unprotected Data Are Accused of Being Hackers

Two telecommunications companies are accusing reporters of hacking after  the reporters uncovered a cache of personal data on a publicly accessible server. The Scripps reporters say they found the data, which include Social Security numbers (SSNs) and other personally identifiable information, through a Google search, but the companies maintain that  the reporters accessed the data and in doing so, violated the Computer  Fraud and Abuse Act. The reporters deny those allegations. The data,  which were gathered by a third party company on behalf of the two  telecommunications firms, were collected as supporting documentation for  families seeking to qualify for the US Federal Communications  Commission’s (FCC’s) Lifeline program, which helps low-income Americans  obtain phone service. The program allows the telecoms to request the  information but specifically says that it may not be retained. [Ars Technica] [SacBee] [NPR]

Identity Issues

US – Court: Best Buy’s ID Check Doesn’t Violate Privacy

A federal appeals court has determined that Best Buy’s driver’s license requirement for returning purchases does not contravene the Drivers’ Privacy Protection Act. The 11th Circuit Court of Appeals agreed with a Florida court ruling that tossed out a potential class-action lawsuit filed by Steven Siegler. The suit alleged the company’s practice of collecting and retaining driver’s license data during a purchase return is not a “normal course of business” use. [Bizjournals] See also: [Two-factor authentication: What you need to know (FAQ)]

WW – Twitter Launches Two-Factor Authentication

Twitter has introduced two-factor authentication for account access. Users who opt in to the feature provide Twitter with a mobile phone number, and whenever they want to log in to their accounts, they will be required to provide their regular passwords along with a verification code which will be sent to the specified phone. The introduction of this feature comes just weeks after several high-profile Twitter accounts were compromised and misused. [Ars Technica] [SC Magazine] [h-Online]

Intellectual Property

US – SIIA Releases Whitepaper on Balancing Innovation and Privacy

The Software and Information Industry Association (SIIA) on Monday released a whitepaper on balancing innovation with privacy in Big Data. In the paper, the SIIA cautions against over-legislation, recommending instead that companies take the initiative to build privacy into their Big Data policies. SIIA Senior Director David LeDuc says there are ways for companies to benefit from Big Data and still protect user privacy, adding that anonymizing consumer data as quickly as possible would be a good step. The SIIA and other industry groups would like to see policy-makers, consumer advocates and other stakeholders come together to create policy. [The Washington Post]

US – Commission Recommends Stronger Action to Protect Intellectual Property

The Commission on the Theft of American Intellectual Property, a private organization, has issued a report arguing that US companies should be permitted to act aggressively to prevent hackers from stealing their intellectual property. The report notes that “hundreds of billions of dollars” worth of US intellectual property (IP) is stolen each year, and estimates that China is responsible for 50 to 80 percent of international intellectual property theft. In addition, “the slow pace of legal remedies for IP infringement does not meet the needs of companies whose products have rapid product life and profit cycles.” The paper also makes a case for creating disincentives to IP theft by making it unprofitable. The report calls for laws to allow intellectual property owners to retrieve or “render inoperable” stolen IP. The process would be helped through increased “meta-tagging,” “beaconing,” and “watermarking,” technology that basically has a phone home effect, letting IP holders known when information has been stolen. [ComputerWorld] [SC Magazine] [ZDNet] [Forbes] AND [Text of Report] SEE ALSO: [Future in Review]

Internet / WWW

WW – Privacy Hampers Research Outcomes

Professors at the Massachusetts Institute of Technology say privacy remains a “big stumbling block” to effectively using Big Data. MIT’s Andrew Lo, Dimitris Bertsimas and Alex “Sandy” Pentland are building Big Data models to predict financial market shifts and crime and improve healthcare outcomes, the report states, but run into privacy issues when it comes time to analyze the data. There are also concerns about individuals being profiled based on Big Data findings. Meanwhile, Amsterdam’s ZyLAB has published a whitepaper warning IT decision-makers about “the dark side of Big Data.” [The Wall Street Journal]

Law Enforcement

US – Swire: FBI Initiative Threatens Secure Communications on the Internet

Recent moves by the FBI to persuade the Obama administration “to support major changes” to the Communications Assistance to Law Enforcement Act of 1994 (CALEA) have prompted a new report from the Center for Democracy & Technology and this latest Privacy Perspectives installment from Peter Swire, CIPP/US, who formerly served as chief counselor for privacy in the Office of Management and Budget under President Bill Clinton. The new changes could open up a range of risks and “harm cybersecurity.” [Source]

CA – Privacy Concerns Raised As U.S., Canada Share Data on Travellers

Canada and the U.S. have swapped biographic information on 756,000 cross-border travellers under a sweeping new effort to catch cheating entrants, according to a new border agency report. The flow of personal data between the countries has so far been limited to information about third-country nationals and permanent residents crossing at four major Canada-U.S. land border points. Next year, however, the bilateral exchange will expand to cover all travellers, including Canadian and American citizens, at all automated border crossings. The project is part of the 2011 Canada-U.S. Beyond the Border declaration and action plan. A chief concern among privacy advocates is minimizing the threat of personal information being used for secondary purposes unrelated to border security.[Source] See also: [Privacy complaint launched over CBSA reality TV show]

CA – Manitoba RCMP Members Watch Porn, Snoop on Spouses, Files Show

From snooping on spouses to downloading pornography, a number of RCMP members in Manitoba have been disciplined for abusing their time on duty and the resources available to them on the job. RCMP documents obtained by CBC News reveal the disciplinary actions taken against 10 members of Manitoba’s D Division between the beginning of 2010 and September 2012. The documents outline cases of members using police databases to keep tabs on girlfriends and ex-wives, using RCMP computers to download pornography, and providing civilians with the results of licence plate searches. The sanctions handed out range from a formal reprimand to a reprimand and the loss of 10 days’ pay, although some of the decisions noted that the members could have faced dismissal from the RCMP. [Source]

US – NYPD Detective Arrested for Allegedly Hacking eMail Accounts

US federal law enforcement agents have arrested a New York City Police Department (NYPD) detective for allegedly hiring a hacking service to break into more than 40 email accounts belonging to NYPD employees and other people. Edwin Vargas also allegedly paid the same group for gaining access to cell phone records. According to evidence gathered from a digital forensic review of Vargas’s hard drive, he had obtained access to three months of cellphone records for at least one individual. Vargas also accessed the National crime Information Center (NCIC) database, which he was authorized to use as a law enforcement officer, but he allegedly accessed information outside the realm of his duties. [The Register] [Information Week] [FBI]

UK – Northamptonshire Police Officers Given Body Cameras

Twenty body cameras have been issued to police officers in Northamptonshire to record incidents for use as evidence in court cases. The cameras operate continuously with a 180-degree sweep and can record in darkness. The Northamptonshire Police and Crime Commissioner said they were valuable in bringing more convictions. Linda Lee, former president of the Law Society, said she was concerned the cameras could be a privacy intrusion. Ms Lee said that because they operated continuously the cameras would pick up a lot about people’s everyday lives, which could be an unwelcome intrusion. Mr Simmonds said that instead of officers having to record incidents on paper and trace witnesses, the court could see and hear the details of incidents in real time.[Source]


WW – Apple Seeks Tracking Suit’s Dismissal

Apple has filed a motion for summary judgment in a privacy class-action lawsuit. The company argues the plaintiffs in the suit—which claims the company uses third-party iPhone applications to access and track users’ personal information—admit suffering “no harm whatsoever” and “still have no idea whether their personal information or location data was actually tracked.” The court dismissed the plaintiffs’ first complaint in September 2011 and dismissed all but two claims of an amended complaint in June 2012. A hearing in this case is set for November 7. [Courthouse News Service] SEE ALSO: [Opinion: Judge’s Phone Ruling Is “Ridiculous”]


US – Government Wants Security Research on Car-To-Car Nets

David Strickland, Administrator of the USA’s National Highway Traffic Safety Administration (NHTSA), has told that nation’s Senate Committee on Commerce, Science, and Transportation that he plans to research the security requirements of automated cars and vehicle-to-vehicle (V2V) networks. Strickland appeared before the committee this week and gaped with appropriate metaphorical awe at the likes of Google’s self-driving vehicles and V2V network proposals that would see one car radio another to tell it when heavy braking is required. Such systems, Strickland said, could “potentially address about 80 percent of crashes involving non-impaired drivers once the entire vehicle fleet is equipped with V2V technology.” He’s also worried about what he called “vehicle cybersecurity”, because he believes more technology in cars creates “growing potential for remotely compromising vehicle security through software and the increased onboard communications services” NHTSA has asked for an extra $US2m to research the problem, with the aim of “of developing a preliminary baseline set of threats and how those threats could be addressed in the vehicle environment”. Standards for car-makers are also on the agenda. [Source]

Online Privacy

NZ – Commish: School Sites Lack Data-Use Info

After sweeping a number of websites as part of the Global Privacy Enforcement Network , New Zealand Privacy Commissioner Marie Shroff has announced that many schools and some popular children’s websites “show there is often no information given to users about how their personal information collected via the site will be used and shared.” According to a press release, “We found that in a selection of the larger New Zealand schools’ websites we looked at, very few had any sort of policy at all.” In contrast, many children’s gaming websites had privacy policies that “were usually extremely detailed and lengthy, and the references were often to U.S. or European law.”[Media Release]

US – Website Shows Just How Private Snapchat Really Is

If recent stories showing the permanence of Snapchat’s supposedly ephemeral photo sharing didn’t convince you, perhaps the launch of the new will. The startup website allows users to upload photos that have been sent to them, despite the senders’ assumption that they would be deleted after only 10 seconds of viewing. While the site covers up “naughty bits” and doesn’t display a Snapchat ID, there is still some speculation as to whether the site will lead to lawsuits. “All images are user-submitted,” the site’s creators told UK tabloid Metro, “if the person asks to take them down, we do. Most see it as fun and getting ‘Facebook famous’.” [Beta Beat]

WW – Facebook Joins Advocacy Group

Facebook announced on Wednesday that it has joined the online privacy and freedom advocacy group Global Network Initiative (GNI). The affiliation may help to show users that Facebook is taking privacy concerns seriously and also help it navigate expansion in developing countries, the report states. GNI provides guidance on protecting online privacy against government intrusions and reviews members’ practices to ensure they are in line with GNI’s goals. Meanwhile, Facebook CEO Mark Zuckerberg was in Poland on Wednesday meeting with Polish Minister for Administrative Affairs and Digitisation Michal Boni about the global significance of the Polish IT industry. [The Wall Street Journal]

WW – Firefox Cookie Blocking By Default on Pause

Mozilla has postponed default cookie-blocking in its Beta version of Firefox 22 “to collect and analyze data on the effect of blocking some third-party cookies.” The default setting has been criticized by the online advertisement industry. The nonprofit is currently testing a patch created by Jonathan Mayer. In a blog post , Mozilla Chief Technology Officer Brendan Eich wrote, “Our next engineering task is to add privacy-preserving code to measure how the patch affects real websites,” adding, “We will also ask some of our Aurora and Beta users to opt in to a study with deeper data collection.” [PC World]

WW – Future Version of Firefox Will Block Mixed Active Content by Default

A future stable version of Firefox will block mixed active content by default. Firefox 23 Aurora is scheduled for stable release in about three months.  Mixed active content is described as an HTTPS secured website that loads some HTTP content, which can make the site vulnerable to a variety of attacks. Users will have the option of disabling the content blocker on a site-by-site basis. [CNET] [Mozilla] [interesting article on the security implications of HTTP/HTTPS mixer-uppers]

EU – German Commission Calls Out Xbox One Privacy Issues

Not all are pleased with the technology behind Microsoft’s upcoming platform, the Xbox One. Speaking with news site Spiegel, Germany’s federal data protection commissioner Peter Schaar likened the next-generation console to a “monitoring device.” “The Xbox continuously records all sorts of personal information about me. Reaction rates, my learning or emotional states. [These] are then processed on an external server, and possibly even passed on to third parties,” Schaar said. “Whether it be deleted ever, the person concerned cannot influence.” Privacy concerns surrounding the Xbox One were brought up immediately after Microsoft revealed that the system’s built-in Kinect features an always-on standby mode that can react to users even when it is “off.” [Source]

Other Jurisdictions

AU – Gov’t Introducing Breach Notification Bill

Privacy Commissioner Timothy Pilgrim has voiced support for mandatory breach legislation. Attorney-General Mark Dreyfus has announced the government will introduce legislation to take effect in March that will require companies to disclose data breaches. The legislation, which the Australia Law Reform Commission has been proposing since 2008, will “require notification of serious data breaches that will result in a real risk of serious harm,” a Gizmodo report states, noting Dreyfus used the announcement of the legislation as an opportunity to chastise organizations for recent data breaches. As current legislation does not require companies to disclose breaches, the report questions “the data breaches we haven’t heard about over the last decade.” [CSO] See also: [Global tech giants to face Aussie privacy hurdles]

AU – Privacy Laws Stop Cops Tracking Refugees

Privacy restrictions are preventing police being told where asylum seekers are living in the community. The Immigration Department has told a parliamentary committee that “due to privacy reasons”, police were not told where boat arrivals on bridging visas are. More than 10,000 asylum seekers who have been released have had initial security checks, but are yet to undergo screening by ASIO. Police have been called to asylum seeker housing five times over assaults from November 2011 to December last year. Four asylum seekers living in the community have since absconded and are yet to be found. [Source]

RU – Russia Ratifies Commitment to Convention 108

On May 15, Russia ratified a treaty to join Convention 108—the “Convention for the protection of individuals with regard to Automatic Processing of Personal Data.” Council of Europe Secretary General Thorbjørn Jagland said he received Russia’s accession from Permanent Representative and Ambassador of the Russian Federation to the Council Alexander Alekseev. The treaty will enter into force on September 1. Russia will become the 46th state to join Convention 108. [NewEurope]

Privacy (US)

US – Consumer Groups Worry U.S.-EU Trade Pact Will Weaken Privacy Regulations

Reuters reports on developments regarding the Transatlantic Trade and Investment Partnership (TTIP), a proposed free-trade agreement between the EU and U.S. Consumer groups have called language in the agreement a “backdoor way” for U.S. businesses to sidestep EU data protection law. Roughly 60 supporters and opponents of the agreement will address a panel convened by the Trade Representative’s office to discuss TTIP this week. [Source] [See also Trade Law and Privacy Law Come Together]

US – Schnucks: Class-Action Suit Should Be Federal

Schnucks Markets claims a potential class-action lawsuit filed against it in an Illinois state court belongs in federal court because of the case’s scope and damages involved. The St. Louis-based grocer has filed a motion for removal. The motion notes the damages the plaintiffs claim exceeds the $5 million threshold for a federal case and that the number of people involved in the claim, from various states, means the case should be federal. Schnucks announced a breach earlier this year resulting in the exposure of 2.4 million credit and debit cards. The lawsuit claims the store was negligent and didn’t inform those affected quickly enough. [Computerworld] See also: [US: As Data Breaches Rise, AGs Emerge As Primary Enforcers]

US – FTC Asks Judge to Reject Wyndham Hotels’ Motion to Dismiss Complaint

The US Federal Trade Commission (FTC) has filed documents asking a US District Court to toss out Wyndham Hotels’ motion to dismiss an FTC complaint against the company after it suffered a number of data security breaches. Wyndham argued that the FTC is exceeding its authority because it is trying to make cybersecurity issues into consumer protection issues, saying the FTC “wants to turn a statute designed to protect consumers from unscrupulous businessmen into a tool to punish businesses victimized by criminals.” But court documents say “the FTC is not suing Wyndham for the fact that it was hacked, it is suing Wyndham for mishandling consumers’ information such that hackers were able to steal it.” The case is significant because “in the absence of comprehensive cybersecurity legislation … the only effective method for cybersecurity regulation by the government is to use the FTC’s enforcement authority.” [SC Magazine] [Lawfareblog]

US – FTC Sends Biz COPPA Education Letters

In light of upcoming rule changes to COPPA and recent pushback from industry, the FTC has issued more than 90 letters to app developers. The letters were sent to companies whose online services “appear” to collect personal information from children under the age of 13. “While the letters do not reflect an official evaluation of the companies’ practices by the FTC, they are designed to help businesses come into compliance” with the impending changes, an FTC press release states. Meanwhile, The Washington Post reports on comments made by Center for Digital Democracy’s Joy Spencer, who said, “Facebook is not doing enough to ensure children under 13 don’t have access to the site,” adding, “That raises a number of concerns about safety and because Instagram then is able to collect personally identifiable information on children, which can be used to target ads toward them in the future.” [FTC Press Release]

US – Privacy Organization Files FTC Complaint Against Snapchat

It’s recently surfaced that Snapchat photos and videos are stored somewhere on your phone and can be retrieved with a few tools. Snapchat hasn’t responded with a fix yet, and this has landed the app in hot water with the Federal Trade Commission. Way back when Snapchat was first launched, Buzzfeed discovered a loophole that allowed cached Snapchat videos to be rewatched on an iOS browser like iFunBox. The Electronic Privacy Information Center has been keeping a watchful eye on Snapchat, and the most recent evidence of Snapchat retrieval has proven reason enough for the privacy organization to strike. Photographer Nick Keck told us used iFile, an iOS browser, to dig up saved Snapchat videos. Photos can’t be retrieved as we reported earlier since photos aren’t cached. EPIC says Snapchat led users to believe their images and videos would “disappear forever.” But in the complaint that EPIC filed with the FTC, the group says the company used “unfair and deceptive acts and practices.”[Source]

US – Does “Neighbors” Photo Exhibit Violate Privacy?

Photographs taken by a New York City artist have residents infuriated. “In one photo, a woman is on all fours, presumably picking something up, her posterior pressed against a glass window. Another photo shows a couple in bathrobes, their feet touching beneath a table. And there is one of a man, in jeans and a T-shirt, lying on his side as he takes a nap,” the report states, noting the photos were taken through their windows by Arne Svenson from his nearby apartment. Although their faces are not shown, the residents “had no idea they were being photographed, and they never consented to being subjects,” raising questions of whether any privacy law has been violated. [The Associated Press]

US – Feds Tracked Reporter’s Movements, Personal E-Mail

In an effort to unmask a leaker who fed a reporter classified information about North Korea, FBI investigators tracked the journalist’s movements in and out of a government building, obtained copies of e-mails from his personal account and also took the unprecedented step of alleging that the reporter engaged in a criminal conspiracy simply for doing his job. Investigators tracked the reporter’s movement using security badge access records as he left and returned to the State Department’s headquarters in Washington, DC, and also obtained two days’ worth of e-mail correspondence from his Gmail account. “Never in the history of the Espionage Act has the government accused a reporter of violating the law for urging a source to disclose information,” Ben Wizner, director of the ACLU’s Speech, Privacy and Technology Project said in a statement. “This is a dangerous precedent that threatens to criminalize routine investigative journalism.” The revelations come in an affidavit filed in an investigation against a State Department security adviser who is accused of leaking classified information to Rosen. [Source]

US – Bloomberg Appoints Privacy Czar

In light of revelations that some of Bloomberg’s journalists were using private client data for reporting, the company has announced it has hired former IBM CEO Samuel Palmisano “to serve as an independent advisor regarding the company’s privacy and data standards.” According to Bloomberg’s press release, Palmisano “will immediately undertake a review of the company’s current practices and policies for client data and end-user information, including a review of access issues recently raised by the company’s clients.” Palmisano will report directly to the Board of Directors and will be assisted by representatives from Hogan Lovells and Promontory Financial Group. [Forbes]

US – Harvard College Dean Who Authorized eMail Searches Stepping Down

The Harvard College dean who authorized secret searches of residential deans’ email messages will step down this summer. Evelynn M. Hammonds acknowledged that she authorized the searches, which were aimed at identifying the source of an information leak about a cheating scandal that emerged at the school in 2012. Hammonds and other administrators maintained that automated searches were made only of email subject lines to determine who had shared a confidential message with someone at the Harvard Crimson newspaper, and that the searches were conducted in an effort to protect the privacy of the students involved in the cheating scandal. The administrators also acknowledged that it was a mistake not to notify the deans of the search either before or after the fact. [ComputerWorld] [CNN]

US – California’s Mobile App Privacy Law Test Case Unsuccessful

A California Superior Court judge has dismissed a lawsuit brought against Delta Air Lines for allegedly failing to comply with state laws regarding mobile application privacy. The lawsuit, filed by California Attorney General Kamala Harris, alleged that Delta had violated California’s Online Privacy Protection Act because it did not disclose how its Fly Delta smartphone app collected and used customer data. Delta argued that the state law is superseded by the Federal Airline Deregulation Act, which says that states may not enforce laws that affect airlines’ fares, routes, or services. Delta maintained that its mobile app was a service and Judge Marla Miller agreed. [ComputerWorld]

Privacy Enhancing Technologies (PETs)

WW – New ‘Clueful’ App Scans Android Phones for Privacy Leaks

Anti-virus firm Bitdefender launched Clueful, a free Android app that tells you how much other Android apps invade your privacy.” Clueful quickly scans your phone to see which apps are installed, and then gives you an overall privacy score ranging from a low of 1 to a high of 100. Clueful categorizes individual apps into high- moderate- and low-risk categories, with high scorers being those apps that “are viruses,” “send your identity to strangers” and “use very intrusive ads.” Moderate risk apps “send your private data to strangers,” such as popular games like “Angry Birds.” Other apps have the ability to read or intercept SMS messages, including Amazon, USA Today and IMDb; the same number might read contacts. Meanwhile, a whopping 42 apps had the ability to track location, including the games “Fruit Ninja.” Clueful is available for installation from the Google Play app store.[Source]

WW – Web-Security Firm Acquires Web-Privacy Firm

Web-security firm AVG has purchased web-privacy firm PrivacyChoice. PrivacyChoice offers a browser extension that analyzes a user’s web activity and indicates their exposed personal information. “Since founding, our mission has been to deliver more effective and more informed choices about how your data is collected, used and shared,” said PrivacyChoice founder Jim Brock. “We saw strong synergies between our approach and the efforts AVG continues to make in empowering people when it comes to their online privacy.” [Venturebeat]


WW – Chips Pose ID Theft and Privacy Concerns

Rising identity theft of travelers stemming from access to RFID chips in passports and credit cards. Criminals can also access personal data from smartphones via WiFi networks. To help curb such attacks, some luggage companies are inserting RFID-blocking compartments in luggage. Meanwhile, Bruce Schneier, a security expert, writes about the rise of the Internet of Things and surveillance in his latest blog post, noting that “any illusion of privacy we maintain” is “about to get worse.” [The Washington Post]


UK – Smart Meters Need to Be Harder To Hack, Experts Say

By the year 2020 about 30 million British homes will have digital smart meters monitoring their gas and electricity usage, according to government plans. The scheme promises to reduce costs as in-house monitors will make energy consumption more visible and therefore controllable, and will remove the need for estimated bills. However this month the roll-out was delayed by the Department of Energy and Climate Change for more than a year as the government admitted more tests were still needed. One big issue for information security experts is the safety of the data collected by the meters and transferred back to the utility companies. While there are many different brands of meter, the communications hubs which transmit this information often use the mobile data network via a SIM card. “There are two main ways of hacking the meters – through the mobile network they use to communicate, or through hardware hacking – opening the meter up, tampering, altering the firmware or removing the cryptographic keys.” [Source] SEE ALSO: [AU: Hacking: Chinese spies steal ASIO blueprints]

US – Electric Grid Under Continuous Attack

Computer systems at utility companies that make up the US electric grid are under attack daily, according to a Congressional report. Two legislators sent questionnaires to more than 150 companies and received 112 responses. Just 53 of those actually answered the questions, while the rest provided partial responses or information that did not directly answer the questions. More than a dozen of the responses said their systems were under “daily,” “constant,” or “frequent” attacks. One company reported it experienced 10,000 attempted attacks a month. None of the companies noted that the attacks had damaged their systems. The report, “Electric Grid Vulnerability: Industry Responses Reveal Security Gaps,” looks at threats from both hackers and from natural occurrences. The report strongly urges Congress “to provide a federal entity with the necessary authority to ensure that the grid is protected from potential cyber-attacks and geomagnetic storms.” [Ars Technica] [CNET] [ComputerWorld]

US – Report Says Chinese Hackers Accessed US Weapons Systems Designs

According to a confidential report from the Defense Science Board, Chinese hackers gained access to designs for advanced US weapons systems. The confidential report, which was prepared for the Pentagon, did not specify whether the data were accessed through government networks or through contractor networks. According to the report, DOD “is not prepared to defend against this threat. With present capabilities and technology, it is not possible to defend with confidence against the most sophisticated cyber attacks.” An unnamed senior military official told the Washington Post that “in many cases, they don’t know they’ve been hacked until the FBI comes knocking on their door.” [Washington Post] [Reuters] [CNET] [REPORT] See alwso: [Clearwire Will Shed Huawei Hardware]

US – Iranian Hackers Targeting US Companies’ Industrial Control Systems

US officials say that hackers operating on behalf of the Iranian government are targeting industrial control systems at US energy companies in an attempt to damage the country’s critical infrastructure. Thus far, the attacks have focused on gathering intelligence about how the systems operate. Some US officials have posited that Stuxnet, the sophisticated malware attack that targeted centrifuges at an Iranian nuclear facility in 2010 pushed Iran to develop stronger cyberattack capabilities and to retaliate. [The Register] [eWeek] See also: [Syrian Electronic Army Hacked Sky’s Twitter and Android Apps] and: [Australian Official Will Not Confirm Reports of Cyberespionage]

US – Chinese Hackers Accessed Google’s Surveillance Database

The Chinese hackers who broke into Google servers in 2009 and 2010 were able to gain access to Google’s database of surveillance orders from the US government. The information was likely sought to determine which Chinese intelligence operatives in the US were under surveillance by law enforcement agencies there. A Microsoft official recently hinted that Microsoft suffered an intrusion at about the same time, and that the attackers appeared to be searching for information about accounts for which the US government legal wiretap orders. [Washington Post] and [Chinese Hackers Resume Attacks on US Organizations : Source | Source | Source]

WW – Software Security Standards Gaining Traction 

At a conference earlier this week, Microsoft announced its support for ISO 27034, an international standard that lays out processes and practices for secure software development. On the same day at the same conference, the Software Assurance Forum for Excellence in Code (SAFECode), an organization that promotes secure software development practices, announced the availability of free training modules on secure coding practice for developers. The first portion of the International Organization for Standardization’s (ISO’s) secure programming techniques document, 27034-1, was released in November 2011. It describes elements of a secure development process, which is useful information for both developers and consumers. [eWeek]


US – AG Tells Senate to Get Warrants to Access Stored Cloud Content

US Attorney General Eric Holder told the House Judiciary Committee that he supports requiring that the government obtain a probable-cause warrant to access email and other cloud-stored content. In April, the committee approved proposed legislation that would alter a portion of the 1986 Electronic Communications Privacy Act (ECPA) allowing law enforcement to access content stored in the cloud, unopened, for more than 180 days. [WIRED] [ZDNet]

Telecom / TV

US – Cell Phone Users ‘Have No Legitimate Expectation of Privacy’ – Judge

A federal judge recently ruled that if someone has their cell phone turned on, their location data does not deserve protection under the Fourth Amendment, meaning law enforcement can track individuals without a search warrant. New York magistrate judge Gary Brown decided in favor of Drug Enforcement Administration (DEA) agents who were seeking his approval over a warrant on a doctor who they suspected was being paid for issuing thousands of prescriptions. The warrant would have compelled the physician’s phone company to provide real-time tracking data from his cell. Brown, certainly to the delight of police, issued a 30-page brief outlining his opinion that, by carrying a cell phone, someone is essentially waiving their Fourth Amendment right to due process. “Given the ubiquity and celebrity of geolocation technologies, an individual has no legitimate expectation of privacy in the prospective of a cellular telephone where that individual has failed to protect his privacy by taking the simple expedient of powering it off,” Brown wrote. “As to control by the user, all of the known tracking technologies may be defeated by merely turning off the phone. Indeed – excluding apathy or inattention – the only reason that users leave cell phones turned on is so that the device can be located to receive calls. Conversely, individuals who do not want to be disturbed by unwanted telephone calls at a particular time or place simply turn their phones off, knowing that they cannot be located.” He goes on to suggest that because there are smartphone applications available that allow users to locate people in their area with similar interests, cell phone customers should not expect their inherent right to privacy to be observed. The American Civil Liberties Union (ACLU) has long been a voice for the American people against governmental overreach and technological surveillance. Chris Soghoian, a principal technologist and senior policy analyst at the ACLU, wrote that Brown’s opinion was “ridiculous.” “There is a big difference between location information you knowingly share with a select group of friends (or, in fact, the world) and information collected about you without your knowledge or consent,” he wrote. [Source]

US – NAI Working On New Mobile Privacy Rules

The Network Advertising Initiative (NAI) is moving forward with plans to eventually issue a set of mobile privacy rules. A draft version is being circulated among members to help provide a code of conduct for data collected from mobile apps. The draft rules cover behavioral targeting and are expected to be finalized by next month, NAI Executive Director Marc Groman, CIPP/US, has said. The rules would require participating companies to provide consumers with an opt-out for behavioral targeting ads but allows ad networks to continue to collect “non-personally identifiable” data for certain purposes, such as analytics, ad optimization and frequency capping. [MediaPost News]

EU – SAP Touts Service That Sells Customer Data from Phone Firms

European software firm SAP has announced a new service that will pull data from its “extensive partner network”—which includes “over 990 mobile operators”—collect and analyze it “without drilling down into user-specific information,” and, disclose the results to subscribers via web portal. SAP said of its Consumer Insight 365 mobile service that “this market intelligence will ultimately allow brands to strengthen relationships with consumers through more targeted and context-specific marketing efforts.” The Wall Street Journal reports on the potential privacy concerns from a service that will “broaden the range of data about individuals’ habits and movements that law enforcement could subpoena.” [CNET News]

US Government Programs

US – Border Data-Sharing Plan to Expand

Privacy advocates have expressed concerns over data sharing between the U.S. and Canada. Since the 2011 Canada-U.S. Beyond the Border action plan, the two countries have shared biometric data on 756,000 border crossers considered third-country nationals and permanent residents. Next year, the data shared will expand to include all travelers. Advocates are concerned the data could be used for secondary purposes. “We have provided questions to Canada Border Services Agency seeking information on how personal information collected may be used and by what other federal organizations and for what possible secondary uses outside of monitoring travel and immigration,” said a spokesman for Canada’s privacy commissioner. [Postmedia News]

US – GSA Seeks Comments on Cybersecurity Standards and Purchasing

The US General Services Administration (GSA) and the Pentagon have issued a request for information seeking input from industry on how best to incorporate cybersecurity standards into government purchasing requirements. Some ideas GSA and DOD are considering include establishing an accreditation program and allowing certain acquisitions to be exempt from cybersecurity standards. The goal is to protect government systems while not impeding market entry for potential new contractors. Comments will be accepted through June 12. [Washington Post] [Federal Register]

US – Vendors Want Cybersecurity Rule Freeze Until Standards are Issued

Federal contractors are asking the US General Services Administration (GSA) to temporarily suspend cybersecurity rulemaking until the government issues national guidelines later this year. The specific regulations may be “well intentioned” but there is concern that rules created now might conflict with the standards that are expected by November. [NextGov] [

US Legislation

US – Bill Would Require Feds to Obtain Warrant to Seize Phone Records

Four US legislators have introduced a bill that would require federal agencies to obtain a court order prior to obtaining phone records. The proposed legislation follows close on the heels of the disclosure that federal investigators obtained phone records of Associated Press (AP) journalists with just a subpoena. The Telephone Records Act, as currently written, allows federal agents to obtain records from service providers with an administrative subpoena to discover basic subscriber information, such as name, address, payment card number, and phone records. The proposed legislation, The Telephone Records Protection Act, protects all Americans’ phone records from being seized by federal agencies without a warrant. Federal agents would need to obtain judicial review before gaining access to those data, and they would have to provide “specific and articulable facts [that prove the requested data are] relevant and material to an ongoing criminal investigation.” The US Justice Department has been roundly criticized for the AP incident, in which they obtained phone records for 20 lines, some of which were the work and home numbers of AP reporters. DOJ maintained that it was following procedure when it issued a subpoena for the information. [WIRED]

US – Senator Introduces Bill to Bolster Fourth Amendment Rights

Sen. Rand Paul (R-KY) has introduced a bill aiming to ensure adequate Fourth Amendment rights when it comes to electronic communications. “The Fourth Amendment Preservation and Protection Act of 2013” requires specific warrants granted by judges for law enforcement to obtain electronic communications data. “In today’s high-tech world, we must ensure that all forms of communication are protected. Yet government has eroded protecting the Fourth Amendment over the past few decades, especially when applied to electronic communications and third-party providers,” Paul said. [Source]

US – Maine Cellphone Bill Could Be Nation’s First

The Maine legislature is set to pass what would be a first-in-the-nation bill requiring law enforcement to obtain a warrant prior to accessing an individual’s cellphone location history. Following last week’s vote by the Senate, the House voted 113-28 on Wednesday in favor of the bill. If passed, the bill would require the warrants with exceptions for emergencies such as bodily harm and would require police to notify individuals within three days that their data has been accessed. LD 415 now goes back to the Senate for enactment. [The Portland Press Herald]

US – Texas Likely to Enact Nation’s Strongest E-Mail Privacy Law

After unanimously passing both houses of the Texas state legislature, HB 2268 has landed on Gov. Rick Perry’s desk for enactment. If signed, Texas would host the nation’s strongest e-mail privacy bill. The proposed bill would require state law enforcement to obtain a warrant prior to accessing any e-mails, regardless of age of the electronic documents. Though the bill would give residents protections from state-level snooping, the bill would not prevent federal investigations. Perry has until June 16 to sign or veto the bill. If he does neither, the bill would automatically go into effect on September 1, the report states. [Ars Technica]

US – Washington Passes Password-Protection Bill

Washington’s governor has signed a law prohibiting employers from asking potential employees for passwords to social media accounts. The bill was sponsored by state Sen. Steve Hobbs (D-Lake Stevens), who said he was pleased the bill passed. “Privacy shouldn’t be a thing of the past that we are forced to sacrifice every time technology moves forward,” he said. Maryland, Illinois, California, Michigan, Utah, New Mexico, Arkansas, Colorado and New Jersey have similar laws. [Associated Press]

US – State Legislative Roundup

Over the past two weeks, several states have enacted or initiated privacy legislation. California has moved forward on a security breach notification law, and Maine has considered a 911 privacy bill. Topping state legislative action, however, are social media privacy laws. From Utah to New Jersey, states are clamping down on the employer practice of requiring employees and applicants to disclose social media passwords. In this roundup, we take a look at these initiatives and some concerns that these social media laws could conflict with the Financial Industry Regulatory Authority. [The Privacy Advisor] See also: [US: NetChoice: California privacy bills are bad for Internet]

Workplace Privacy

EU – Schaar: Busting Employees Online Is Illegal

German Federal Data Protection Commissioner Peter Schaar says job centers that search online for employees abusing unemployment benefits are breaking the law. “Job center employees are under no circumstances allowed to log into social networks or even under false pretenses become online friends with people in order to gain access to their data,” Schaar told a magazine. The report states, only if someone receiving unemployment benefits “is uncooperative and refuses to give out relevant data” can a center turn to the Internet—and, even then, the employee must be notified of the data collection, Schaar added. [The Local]

US – Survey Reveals Employees Not Concerned About Privacy on the Job

91% Accept and Welcome Computer Monitoring During Work Hours: In addition to revealing changing attitudes among U.S. employees when it comes to privacy and the workplace, the survey also showed that employees’ non-work-related computer activities are costing businesses millions of dollars in lost productivity annually, e.g.:

  • 100-employee businesses have productivity losses of 13,750 hours annually, equivalent to paying seven full time employees to do nothing all year
  • 1,000-employee businesses have productivity losses of 137,500 hours annually, equivalent to paying 69 employees to do nothing all year
  • 5,000-employee businesses have productivity losses of 687,500 hours annually, equivalent to paying 344 employees to do nothing all year

SpectorSoft has produced an infographic showing the key findings from the survey:

  • 75% of employees accept that employers may monitor their computer activities.
  • 16% of employees are “glad” their employers monitor their computer activities.
  • 9% of employees were “mad” about being monitored during working hours.
  • 49% of employees said their employers monitored their computer activities.
  • 69% of employers that have Internet Acceptable Use Policies (IAUP) monitor employees.
  • 15% of employers that do not have IAUPs monitor employees’ activities.

“This survey reveals that businesses desiring to strengthen security, improve efficiency and stop bleeding millions in lost productivity need to find ways to control employees’ use of corporate computing resources during work hours,” said Nick Cavalancia, vice president at SpectorSoft. [Wall Street Journal] : See also: [AB: Release of truck driver’s work history violated privacy laws, watchdog says] and [Karen Selick: Get the picketers off my porch]


01-15 May 2013


US – Biometric Database of All Adult Americans Hidden in Immigration Reform

Immigration reform being debated in the Senate Judiciary Committee could eventually result in “a ubiquitous national identification system.” The proposed legislation includes a mandate to create a database of names, ages, Social Security numbers and photographs “of everyone in the country with a driver’s license or other state-issued photo ID,” to be maintained by the Department of Homeland Security. The ACLU has raised concerns, and David Bier of the Competitive Enterprise Institute said, “The most worrying aspect is that this creates a principle of permission basically to do certain activities and it can be used to restrict activities,” he said. “It’s like a national ID system without the card.” [WIRED]


US – OPC Survey and Demise of Data Farm Deal Highlight Privacy Issues

A deal has ended that would have resulted in a Facebook “data farm…full of high-powered servers necessary to store information from billions of users worldwide” being built in Manitoba. Facebook considered the province due to such factors as land prices and renewable energy but ultimately “cited concerns about Canadian privacy laws in making its decision to pull out of Manitoba,” the report states. In other news, an Office of the Privacy Commissioner survey indicates, “Privacy concerns are driving Canadians away from smartphone apps and online services,” SC Magazine reports. [Winnipeg Free Press] SEE ALSO: [NDP call for broader probe into data breaches, identity fraud]

CA – Alberta Privacy Commissioner says Child First Act threatens privacy

Alberta’s proposed Children First Act will erode privacy rights and undermine Albertans’ control over their own health and personal information, privacy commissioner Jill Clayton says. Alberta’s Information and Privacy Commissioner criticized the sweeping new law, saying the government hasn’t done enough to make sure those subject to the act — mainly at-risk children and their families – will have their privacy protected. The proposed new legislation allows those who work with at-risk children to talk to one another about the people they serve; those on the list include child welfare workers, police, teachers and foster parents, among others. These front-line workers have consistently said rules that restrict them from sharing information make it harder to do what is right for kids in care. Clayton said she recognizes the need to share information but remains concerned about the privacy implications of the bill, known as Bill 25. [Source]

CA –New Institute Designed To Turn Alberta Research Into Commerce

A new institute that will help colleges and universities commercialize their research in partnership with private companies and other agencies is underway, Advanced Education Minister Thomas Lukaszuk says. The institute, as yet unnamed, will be open to researchers and students from any campus in Alberta, and serve as a major vehicle for diversifying the economy. It should eventually generate a stream of royalties for campuses and businesses, Lukaszuk said. In 2010, the province closed the Alberta Research Council and an Alberta Heritage Foundation for Medical Research program funding scientists, two agencies at arm’s length from government with independent boards. In their place, the Stelmach government set up the four Alberta Innovates agencies inside Advanced Education, with budgets of $20 million to $70 million each to fund short-term, applied research projects geared to priorities set out by government. Those reforms caused concern and consternation in the research community. [Source]


US – Man Takes On Data Miners by Selling Personal Information via Kickstarter

If pieces of information about our online habits are worth billions to marketers each year, should consumers be getting a piece of the pie? Zannier’s A Bite of Me. project sets out to find the answer – or at the very least, to get more people thinking about the big data industry, online tracking, and how the internet works. For the past three months, the Brooklyn-based electrical engineer and student has been tracking his every online activity using “spy software” similar to what’s sometimes used by professional data miners. The project started as part of his thesis at NYU’s Interactive Telecommunication Program, where Zannier translated the information into stunning data visualizations. Eventually, he decided to sell it via Kickstarter to raise both funds and awareness. Now, for just $2, anyone can buy a single day’s worth of his personal data. The package includes a log of every website Zannier visited that day, the applications he used, an image of his face looking at the computer taken every 30 seconds by a webcam, screenshots of what he was seeing onscreen, the position of his mouse pointer, and even his GPS locations throughout the day. For $200, you can buy the entire 7GB data archive along with a suite of tools (over 50 bash, python and R scripts are included) to help analyze the data and potentially create impressive data visualizations like the ones Zannier provides on Kickstarter and his own website. So far, 103 people have backed the project, netting him more than twice his original funding goal with 22 days still to go. [Source]

WW – Preteens’ Use of Instagram Creates Privacy Issue, Child Advocates Say

The photo-sharing service Instagram, the mobile app owned by Facebook, is seeing tremendous growth, doubling in size to 100 million users in about a year. But child advocates and some parents say too much of its rise has been driven by preteens or even younger kids. These advocates say they worry about whether Instagram is collecting the personal information of young children — and whether the company is doing enough to make sure kids are safe from adult strangers. Over the past two weeks, more than 4,500 people signed a petition on that calls for Facebook to automatically set the accounts of children and teens to private. It also asks the company to disable GPS technology that can pinpoint where children take photos.[Source]


US – Obama to Agencies: Make Data More Public

President Barack Obama has “directed agencies to make their data easy to find and use by the public,” as agencies increasingly face requests and pressure to release government data to the public. The Office of Management and Budget has issued an open data policy requiring agencies to meet goals on improving data gathering, management and sharing. Agencies must create updated data set inventories, provide public listings of all public data and ensure the data is created and stored in “machine-readable and open formats, whether collected electronically, by phone or on paper,” the report states. [Federal Times] SEE ALSO: [Oshawa orders search of councillors’ email to find leak]

US – Executive Order Requires US Gov’t Agencies to Adopt Open Data Standards

The White House has issued an executive order requiring that “the default state of new and modernized Government information resources shall be open and machine readable.” Over the next six months, agencies must compile lists of all the datasets they collect and maintain. They must also indicate which of those lists are supposed to be available to the public. They also must make the publicly available data easy to find and to access and to use. [NextGov] [Text of Executive Order]

US – Government is the Largest Purchaser of Hacking Tools

According to a report from Reuters, the US government is the single largest buyer in the “gray market” of offensive hacking tools. While tools that exploit unknown vulnerabilities provide a tactical advantage, not disclosing the flaws leaves other organizations, including those in the US, vulnerable to attacks. Former high level cybersecurity officials have expressed concern about the situation. Former White House cybersecurity advisor Richard Clarke said, “If the US government knows of a vulnerability that can be exploited, under normal circumstances, its first obligation is to tell US users.” Howard Schmidt, also a former White House cybersecurity advisor, said, “It’s pretty naive to believe that with a newly-discovered zero-day, you are the only one in the world that’s discovered it.” And former NSA director Michael Hayden said that although “there has been a traditional calculus between protecting your offensive capability and strengthening your defense, it might be time now to readdress that at an important policy level.” Paying the vulnerability purveyors for the malware also removes the incentive for talented hackers to inform software makers about the flaws. [Reuters] [ZDNet]

Electronic Records

US – HIPAA Update Poses Tech Problems for Privacy

The move toward electronic health records and new federal rules set to give patients more control over their data are posing technical and administrative obstacles. One CEO of an electronic records system firm said, “The reality is, our ability to exchange electronic information is already well beyond our ability to control it.” Beth Israel Deaconess Medical Center Chief Information Officer John Halamka said, “It’s a technology problem and a work-flow problem and a policy problem.” Patient Privacy Rights Founder Deborah Peel said she’s concerned patients won’t be candid with their doctors over privacy fears. “Nobody knows who is using their health information and for what purpose,” she added. [The Wall Street Journal]


WW – iPhone Encryption Stymies Law Enforcement

Law enforcement agencies are growing frustrated with Apple iPhone encryption. Because the encryption used on the devices is so strong, law enforcement agencies are finding that they need to ask Apple to manually override the security controls and decrypt the data on seized devices. The demand is high enough to have created a significant backlog. Some law enforcement officials report having been been told that they would have to wait seven weeks for Apple to help decrypt the information. Law enforcement frustration with Apple’s encryption is not new. Just a few weeks ago, the US Drug Enforcement Agency (DEA) warned that messages sent through Apple’s Messages App are nearly impossible to wiretap. The issue is illustrative of the balance that needs to be struck between law enforcement’s need to eavesdrop on certain communications, and people’s right to privacy. [] [Ars Technica]

EU Developments

EU – Regulation Vote Delayed Again

The European Parliament Civil Liberties Committee has decided to delay a planned vote on the draft data protection regulation that had been scheduled for May 29. “German MEP Jan Philipp Albrecht, who is charged with steering the legislation through to the final vote, explained that although several meetings have been held and some agreements have been reached, more rounds of discussions are still needed,” the report states. Meanwhile, small- and medium-sized businesses remain concerned as the proposal would require those with 500 or more customers to have a data protection office, resulting in “additional expense in an economy where many are struggling.” Albrecht has said a vote is still possible before July. [PC World]

EU – Court Says Apple Must Revise Customer Data-Handling Rules

A German court has told Apple to change its data-handling rules. The court struck down eight of 15 provisions in the company’s data-use terms, stating they deviate too far from German law, the report states. The court also ruled Apple can’t seek “global consent” from consumers on the use of data, including geolocation information. “The ruling shows the high importance of data protection for consumers in a digital world,” said Gerd Billen, head of consumer group Verbraucherzentrale Bundesverband. [Bloomberg] [Source]

EU – BCR for Processors Endorsed

“The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19-page explanatory document to clarifying and endorsing the role of BCR for Processors or Binding Safe Processor Rules (BSPRs) is very telling,” Eduardo Ustaran writes for Field Fisher Waterhouse’s Privacy and Information Law Blog. Ustaran’s post highlights key elements in the Working Party’s document and notes that “despite the detailed requirements that must be met, the overall approach of the Working Party is very ‘can do’ and pragmatic.” [Source]

EU – Bill in Dutch Legislature Would Give Law Enforcement Broad Cyber Powers

Dutch lawmakers are considering broad legislation that would give law enforcement the authority to hack into computer systems in the Netherlands and abroad for research, evidence gathering, or to block access to specific data. Specifically, the bill would let law enforcement block illegal content like child pornography; read communication between criminals; and conduct digital wiretaps. It would also allow law enforcement to activate GPS capabilities on a suspect’s mobile phone for location tracking purposes. The powers would be subject to a judge’s approval and there must be logs kept of investigation data. The bill is being criticized for being “rushed” and for creating “new security risks for citizens.” [ComputerWorld]

Facts & Stats

EU – CNIL Report: Record-Breaking Year for Complaints

The French data protection authority (CNIL) has published its annual report, which indicates a “significant increase in complaints, audits and sanctions.” The CNIL processed a record-breaking number of complaints in 2012—more than 6,000—mostly from private individuals. It conducted 458 audits, up 20% from 2011. In the report, the authority notes “the challenges of regulating Big Data and cloud computing” and recommends “the right to be forgotten” within the proposed EU data protection regulation be enhanced. [Chronicle of Data Protection]


WW – Detangling the $45 Million Cyberheist

In the aftermath of the recent news about an international $45 million cyberheist and ATM cash-out scheme, experts say pinpointing the source of such a massive breach can prove to be extremely difficult. That’s because so many different entities are now involved in the global payments chain. “There are so many parties in the payments chain that it is very difficult to assign blame in these types of breaches,” says financial fraud expert Avivah Litan, an analyst with consultancy Gartner Inc., who blogged about the attack. “There can easily be seven roundtrip hops or more between an ATM cash disbursement request and the cash disbursement. The leakage can happen at any of those points or hops.” News reports this week named two payments processors that had their networks hacked, leading to the card data compromises in the $45 million cyberheist. But one is claiming it had no data intercepted, and the other has yet to make a statement.[Source]


CA – Plague of Government Secrecy Throttles Canadians’ Freedom

Canada now ranks No. 55 among 93 nations when it comes to the law that allows journalists and others to get access to federal government documents. The ranking by the Centre for Law and Democracy puts us just ahead of Angola and Thailand, but one place behind Slovakia. This is a huge drop from 31 years ago when Canada’s initial legislation on access to information (ATI) was hailed as world-leading. What has happened since then? For one thing, despite many demands over the years for changes to make our law more effective, successive Liberal and Conservative governments did nothing. Meanwhile, in many other countries new ATI laws were passed that gave individuals the right to express their views and also enshrined the right guaranteed in the Universal Declaration of Human Rights for people to receive information about important things going on in their government and society.Present Canadian law and processes concerning Access to Information are particularly bad and getting worse in how long it takes for government departments to reply. While 36.8% of requests in 1999 were answered beyond the 30 days the law allows, by 2011-12 that rose to 44.7%. According to a 2011 survey by Canadian Journalists for Free Expression, the average time for an answer was 395 days; on one request, the Department of Defence took an extension of 1,100 days. The CJFE’s annual Review of Free Expression in Canada, published today, gave a grade of D-minus to the federal Access to Information system. Another thing that can hurt Canadians is this country’s inability to protect whistleblowers — those brave people who step forward in the public interest to expose misdeeds, corruption or other wrongdoing in their workplaces. The federal and six provincial governments have laws and regulations about protecting whistleblowers among their employees, but they are flawed in many ways. In the private sector things are even worse. There is no direct legislation at any level that protects the jobs of whistleblowers and they are almost always terminated by their employers. Many never work again in their industry of choice. Amid all these issues, the federal government continues to stop the free flow of information to the public. In successive moves it has stymied federal government scientists, other bureaucrats, even their own backbenchers in Parliament and, most recently, senior RCMP officers from speaking to members of Parliament without permission from Public Safety Minister Vic Toews. In this era of news and views everywhere, the government tries to control its message, undermining democracy along the way.[Source]

CA – $2.1M in Severance Paid to Premier’s Advisers, But Details Remain Secret

More than $2.1 million in severance has been paid to departing members of the premier’s inner circle of advisers over the past three years, but the Redford government won’t say who received the payments — or even reveal how many staff received the taxpayer-paid settlements. Opposition critics and advocacy groups expressed surprise at the government’s position, saying it flies in the face of Premier Alison Redford’s oft repeated pledge to lead an open and accountable government. “You’re telling me severance payments are a state secret if they are issued by executive council?” said a Canadian Taxpayers Federation spokesman. “So when you have an embarrassing case of a political staffer who has done something wrong and they are let go, you can pay them out and no one can never know?” The amount of severance paid to departing employees is not included in the annual reports for executive council — the department the premier heads — and the premier’s office declined to provide the information to the Herald. In response to a subsequent request for the information under the Freedom of Information and Protection of Privacy (FOIP) Act, the premier’s office has provided aggregate amounts for 2010-11, 2011-12 and 2012-13, refusing to say how many staff received severance pay in each of those years. The largest amount, nearly $1.3 million, was paid in severance in 2011-12, the year Tory Premier Ed Stelmach handed over the reins of power to Redford, but since then more than $585,000 in severance has been paid to employees departing Redford’s office. The premier suggested Friday the details of severance payments can’t be released because of privacy legislation — a position her office has claimed for weeks. “It’s actually not up to us,” she said in Calgary. But the Freedom of Information and Privacy Commissioner has ruled previously that severance payments to publicly appointed officials must be disclosed. [Source]

SEE ALSO: [Canada: Why Do I Have To Agree To the Privacy Notice of Canada’s new online tool for making access to information (ATIP) requests? And Other Curiosities]

CA – Star Gets Action: Public Can Now Know Bad Cabbies’ Records

The public can now access records of bad taxi and tow truck drivers in Toronto. Detailed records of hearings where drivers were convicted of sexual assault, multiple Highway Traffic Act convictions and other crimes are now posted on the City of Toronto’s website. The documents were published following a Star investigation into the city’s licensing system that revealed the city’s policy of only checking criminal records every four years was allowing drivers with criminal convictions to remain on the road. The city has since pledged to tighten the gap between criminal background checks to two years, possibly one. [Source]

UK – Britain Struggles with Info Access vs. Privacy

In a recent case involving the theft of 113,000 GBPs from a building in Warwickshire, police refused to identify the man charged with the crime. His identity was only disclosed after free speech campaigners made hay, and it was then learned the suspect was a former police officer. “The incident is indicative of rising tensions between journalists and authorities in Britain” when it comes balancing privacy and freedom of information. “The police are in a real bind about this, because they have to balance the right to privacy against the public interest,” said one journalist. [NYT]


WW – Google Introduces New Search Tools to Try to Read Our Minds

The company revealed new search tools at its annual developers conference. Taken together, they are another step toward Google’s trying to become the omnipotent, human-like “Star Trek” search engine that its executives say they want it to be. When people ask Google certain questions, it will now try to predict the person’s follow-up questions and answer them, too. Google Now, the service that sends you information on traffic and weather before you even ask for it, is also digging deeper into our minds. Google is adding more entertainment alerts, like new music based on videos watched on YouTube, and turning Google Now into a robotic to-do list and a stronger competitor to Apple’s Siri. Tell Google to remind you to buy milk next time you are in a grocery store, for instance, and the alert will automatically pop up when you step in a Safeway. Google is also trying to make search more conversational by encouraging people to talk to their phones and computers and hear answers out loud. Voice search has already been possible on both types of devices, but Google announced that people can now talk to its Chrome browser to perform a search, by saying, “O.K. Google.” Google also uses location information to answer questions. So people can ask, “How far from here to Santa Cruz?” and Google will know where “here” is, or they can ask, “How tall do you have to be to ride the Giant Dipper?” and Google will know that is a ride nearby. In another step to personalize search, Google is expanding its tool that plucks information from Gmail and presents it in search results. Already, a search for “flights” by logged-in users produces flight information from Gmail. Now, you can ask Google to show your photos from your trip to New York last year, and it will find them on Google Plus and show them to you. Underlying many of these developments is Google’s privacy policy, which it revised last year to permit the company to use information shared with one Google service on another one. [The New York Times] SEE ALSO: [Google’s Eric Schmidt On Data Privacy: The Internet Needs A Delete Button]

Health / Medical

AU – Keeping Tabs On Elderly, As Dick Tracy Would

Two Sydney brothers are launching a personal security smart watch they say will assist care of the elderly, at a time Australia braces for its “silver tsunami” of aged baby boomers. Peter and Paul Apostolis’ SOS Mobile Watch has a built-in SIM card and a GPS chip, and lets its wearer communicate with carers by initiating calls through their watch at the touch of a button. “Essentially it’s a GSM, GSP device, a mobile personal-security response device,” Peter Apostolis said. The watch has three SOS buttons which lets its wearer contact any of three carers or family members, with their numbers programmed in. While outgoing calls are restricted to carers, anyone can call in and say hello. It also features GPS for real-time tracking. To ensure a wearer’s privacy, only the three nominated carers can track a wearer’s location.[Source]

Horror Stories

US – Reputation Protection Biz Announces Breach announced to its customers this week that it had been hacked, reports Dark Reading. The information compromised included customer names, e-mail addresses and mailing addresses, though no financial data was stolen. The company reports it has hired third-party security experts to inspect and improve its current operations. Law enforcement is also investigating. Meanwhile, HealthIT Security reports on how the Kmart data breach could have been avoided. [DarkReading] SEE ALSO: [Anti-piracy enforcement company becomes accidental pirate]

WW – Data Breach Includes Encrypted Passwords, Credit Card Info

Domain name register has notified customers that their personal information, including encrypted passwords and payment card data, were compromised in a security breach. required all customers to reset their passwords. The method used – customers were instructed to click a link to perform the reset – has been criticized because it resembles tactics used in phishing attacks.[SC Magazine] [ComputerWorld]

WW – Victims Suing for $40M; Other Beaches Announced

Montfort Hospital patients whose personal information was lost have filed a $40 million lawsuit. The breach involved the loss of a USB stick containing data on 25,000 patients back in November. Although it was eventually recovered, plaintiffs are accusing the hospital of “breach of contract, negligence, breach of privacy and violating its own bylaws and the Personal Health Information and Protection Act,” in connection with the loss of the memory stick, the report states. Meanwhile, in the U.S., Indiana University Health has notified 10,300 patients of a health data breach; Presbyterian Anesthesia reports a data breach affecting nearly 10,000, and Memphis Regional Medical Center has reported a breach involving three e-mails. [Toronto Sun] SEE ALSO: [Researcher suing B.C. government over privacy breach scandal] AND [Boston: Unions eye medical privacy violation]

Identity Issues

US – Rights Groups File Suit Over Plate-Readers

The American Civil Liberties Union Foundation of Southern California (ACLU) and the Electronic Frontier Foundation have asked a judge to order Los Angeles police and sheriff’s departments to provide details on their use of license-plate scanning technology. The departments have refused to produce the information as requested under the Public Records Act, stating the information is investigative material. The groups are seeking a week’s worth of data from the readers. The sheriff’s department responded, saying, “The public interest served by not disclosing the record clearly outweighs the public interest served by disclosure of the record,” but an ACLU lawyer notes, “Nothing will demonstrate to people the threat to their privacy as clearly as the release of this data.” [Los Angeles Times] SEE ALSO: [Automated Passport Control debuts at Vancouver International Airport] SEE ALSO: [Who Owns The Indian UID Database?]

US – FTC to Hold Hearing on Identity Theft and Senior Citizens

The US Federal Trade Commission (FTC) plans to hold a hearing on Tuesday, May 7 at which it will look into identity theft schemes perpetrated on senior citizens, including tax and government benefit identity theft; long term care identity theft; and medical identity theft, which is occurring with increasing frequency. One study said that about two million US citizens are victims of medical identity theft every year. The incidents cost an average of US $20,000 to resolve. The hearing will also look at ways of educating senior citizens about these issues. [SC Magazine] [FTC]

Intellectual Property

WW – Montreal Firm Monitoring Illegal Downloading for Court Cases

Massive lawsuits targeting people who illegally download copyrighted content are common in the U.S., where people have been stuck with hefty fines and out-of-court settlement and now, there’s an attempt to bring that to Canada. At the centre of the effort is Canipre, the only anti-piracy enforcement firm that provides forensic services to copyright-holders in Canada. The Montreal-based firm has been monitoring Canadian users’ downloading of pirated content for several months. It has now gathered more than one million different evidence files, according to its managing director Barry Logan. One of its clients is now before Federal Court in Toronto, requesting customer information for over 1,000 IP addresses — a user’s unique internet signature — collected by Canipre. That client is the American studio Voltage Pictures, maker of hundreds of films including the Academy Award-winning Hurt Locker. On the other side of the case is Teksavvy, an Ontario-based Internet provider. The IP addresses flagged by Canipre link back to its users. The case is set to resume next month. If the court orders Teksavvy to hand over customer info, it could be the beginning of a new chapter in the anti-piracy battle in Canada.”We have a long list of clients waiting to go to court,” said Canipre’s Logan, who estimates that about 100 different companies are paying close attention to the case.[Source]

Internet / WWW

WW – GPEN Launches First Internet Privacy Sweep

A total of 19 privacy enforcement authorities are participating in the Global Privacy Enforcement Network’s first Internet Privacy Sweep initiative. In announcing the launch of the weeklong initiative, the Office of the Privacy Commissioner of Canada said participating authorities will dedicate individuals to search the Internet in a coordinated effort to assess privacy issues related to the theme, Privacy Practice Transparency. “Privacy issues have become global and they require a global response,” noted Canadian Privacy Commissioner Jennifer Stoddart. “It is critical that privacy enforcement authorities work together to help protect the privacy rights of people around the world.” [Source] [Source]

Law Enforcement

US – FTC Sting Operation Results in Warnings to 10 Data Brokers

The FTC has announced it sent warning letters to 10 data brokers warning they may be in violation of the Fair Credit Reporting Act (FCRA). The potential violators were discovered by an undercover FTC data shopper in a sting operation; part of a Global Privacy Enforcement Network initiative. In it, the FTC approached 45 companies seeking financial data, citing reasons such as checks for employment eligibility or creditworthiness. Of those, “10 appeared willing to sell information without complying with the requirements of the FCRA.” [Ad Age]


US – What’s the Equivalent of Shouting “Fire!” in a Crowded Theater?

The Center for Geographic Analysis held its annual conference at Harvard’s Tsai Auditorium last week, focusing on the challenges and thoughts surrounding policy-making for a location-enabled society. The benefits of location technology are hard to deny—identifying influenza outbreaks, getting necessary transportation to people in remote locations, providing emergency services to people who call 911 from cell phones, heck, even just figuring out how to get home without being stuck in rush-hour traffic—but the collection, analysis and use of this data bring risks, too. [Source]

US – How to Mine Cell Phone Data Without Invading Your Privacy

Cell-phone mobility data could be a huge boon to development and planning efforts. but that resource can’t be used if privacy is compromised. Researchers at AT&T, Rutgers University, Princeton, and Loyola University have devised a way to mine cell-phone data without revealing your identity, potentially showing a route to avoiding privacy pitfalls that have so far confined global cell-phone data-mining work to research labs. Working with billions of location data points from AT&T mobile phone calls and text-messages around Los Angeles and New York City, they’ve built a “mobility model” of the two regions that aggregates the data, produces representative “synthetic call records”—then mathematically obscures any data that could tend to identify people. [MIT Review]

Online Privacy

WW – LinkedIn Revises Policy for User Clarity

LinkedIn is updating its privacy policy within the next week, the company reports in its blog. The updates will clarify and simplify language to make it easier for members to read and understand. The policy will be located on a page that will become the company’s “Privacy Portal” where users can access all of their LinkedIn data. [Source]

US – Reddit Rewrites Policy for Usability

Reddit has rewritten its privacy policy “from the ground up” in order to be clearer and more accessible to the average user. The policy goes into effect May 15. “For some time now, the reddit privacy policy has been a bit of legal boilerplate,” said the announcement. “This new policy is a clear and direct description of how we handle your data on reddit and the steps we take to ensure your privacy.” [WebProNews]

WW – Online Ads Can Now Follow You Home

Advertisers already know what people are up to on their personal computers. But understanding their online whereabouts on smartphones or tablets has remained elusive. A number of companies are trying to better pinpoint mobile users’ online activity with new software and techniques they say could help advertisers track users across devices. By harvesting cross-screen identities, the ad industry could serve ads to mobile phones based on the interests people express when surfing the Web on their PCs.[Source]

WW – In-App Advertisers Beware: Lookout Announces Deadline

With adware targeting the Android operating system up 61% over last year, by Bitdefender’s estimate, mobile security firm Lookout has decided to take a firmer stance with in-app advertisers. The company has announced “rules and standards for acceptable advertising practices that promote good user experience and privacy best practices” and given advertisers 45 days from May 10 to comply or be otherwise classified as adware. If advertisers don’t get explicit user consent for display advertising outside the normal in-app experience, harvesting PII or performing unexpected actions in response to ad clicks, Lookout’s product will block them from users. [Source]

WW – Who Stands To Profit from the Quantified Self Movement?

The explosion of wearable devices and wellness apps are often transmitting potentially sensitive data to the cloud. As many as five million Americans currently use wearable devices, and as much as $700 million was invested by venture capital firms in creating such devices in the first half of last year. As a result, one digital tracking group, Quantified Self, has been formed and abides by the credo, “Self-knowledge through numbers.” Others, however, are concerned about the privacy ramifications of transmitting personal health data to the cloud. One computer scientist worries the data could be used against an individual. “It might mean that if your health is looking shaky, all of a sudden you won’t be able to get a loan,” he said. Meanwhile, a California-based programmer has raised concerns that Google Glass could easily be compromised by hackers. [Details Magazine] SEE ALSO: [Man with Down syndrome sues for $18 million after picture altered online]

US – Apple, Verizon Earn Poor Marks in EFF Privacy Report

The Electronic Frontier Foundation is warning that some companies should not be trusted with your data — but some should, and actively fight on the user’s behalf. Out of the 18 major Web and technology companies listed in the latest report from the U.S. privacy and civil liberties group, only six firms had five out of six stars rating how far they will go to either protect users from the government or even fight on their behalf in court. The report published by the EFF ranks the selected firms based on their privacy policies and law enforcement guidelines, but also how far they will go to protect users’ data when a subpoena is issued and so on. The EFF also notes whether the company in question needs a warrant to be issued before it hands over data. [Source]

Other Jurisdictions

AU – Draft Breach Notification Bill Being Circulated

A draft data breach notification legislation from the Australian government is being circulated among a “small number of stakeholders.” Circulated by the Australia Attorney-General’s Department, the Exposure Draft Privacy Amendment (Privacy Alerts) Bill 2013 “appears to take a conservative approach in its demand for data breaches to be reported, with only classifications of serious data breaches considered,” and the report states the legislation could come into force this July with an undisclosed grace period for compliance. [SC Magazine] See also: [NZ: Senior executives told to address privacy breaches]

UK – Trade Group Issues Insurance Guidelines

The Association of British Insurers (ABI) has published guidance for insurance companies on obtaining consent for data-sharing. ABI advises companies obtain opt-in consent to share data with firms that are not “directly involved in managing or delivering a policy, handling a claim, setting premiums, detecting and preventing fraud” or involved in customer service, the report states, adding that companies collecting data must respect UK data protection laws. []

Privacy (US)

US – Foreign Intelligence Surveillance Court Approved All Requests in 2012

The US Justice Department sent a report to Senator Majority Leader Harry Reid (D-Nevada) detailing certain activity of the Foreign Intelligence Surveillance Court. In 2012, the court approved every request it received to authorize physical searches or surveillance of people within the US “for foreign intelligence purposes.” There were 1,856 requests in all. [WIRED] [WIRED]

US – Obama May Back FBI Internet Wiretapping

The Obama administration “is on the verge of backing” an FBI initiative for “a sweeping overhaul of surveillance laws that would make it easier to wiretap people who communicate using the Internet rather than by traditional phone services.” The original FBI proposal would have required Internet communications services to build in a means to wiretap, but the revised proposal, pending a White House review, would fine businesses that do not comply, the report states. The Center for Democracy & Technology’s Greg Nojeim said, “I think the FBI’s proposal would render Internet communications less secure and more vulnerable to hackers and identity thieves.” FBI General Counsel Andrew Weissmann said, “This doesn’t create any new surveillance authority” and would require a court order. [The New York Times]

US – Delta Wins Dismissal of California Mobile App Privacy Suit

Delta Air Lines has won its request for dismissal of claims it violated California’s Internet privacy law because it didn’t notify mobile app users that their data was being collected. California Attorney General Kamala Harris sued the company in December, alleging its “Fly Delta” app didn’t clearly post its privacy policy. But Judge Marla Miller said the federal Airline Deregulation Act “bars states from imposing regulations on airlines related to price, routes or services,” the report states. [Business Week]

US – FTC Denies Group’s Request for Delay in COPPA Date

The Federal Trade Commission (FTC) has voted to keep July 1 as the scheduled implementation date for the update to COPPA. The decision denies a request from 20 groups including the Interactive Advertising Bureau and the Application Developers Alliance that the date be pushed up by six months, citing “insufficient time” between the FTC’s issued guidance on the new rules and the required compliance date. The groups say they need more time to make changes to their products. But the FTC responded that the groups had enough time and didn’t provide sufficient reasons for the requested change in date. [ADWEEK]

US – Medine confirmed to lead PCLOB

The Senate confirmed President Barack Obama nominee David Medine as chairman of the Privacy and Civil Liberties Oversight Board (PCLOB). This ends a two-year process and finally allows the PCLOB to go forward “at full strength,” said Judiciary Chairman Patrick Leahy (D-VT). However, questions remain as to the jurisdictional and scope-of-authority issues that Medine and the agency must decide. [Source]

US – Meet Nicole Wong, Obama’s New Internet Privacy Czar

President Obama has tapped a former Googler nicknamed “the Decider” to handle the administration’s approach to Internet privacy. Nicole Wong, who’s spent the last six months as Twitter’s legal director, will report to White House Chief Technology Officer Todd Park. While she won’t be the nation’s chief privacy officer, she’ll be considered a senior adviser, someone familiar with the matter told me. Wong already has a truckload of issues to sort through, and she hasn’t even started yet. Last month, the administration threatened to veto the controversial Cyber Intelligence Sharing and Protection Act, better known as CISPA, on privacy grounds. Reforms to the way government is allowed to access your emails for forensic purposes are also headed to a full Senate vote. [Source]

US – Corporate Personhood Denied by Pennsylvania Judge

Do corporations count as people? The Supreme Court said as much in Citizens United, but a Pennsylvania judge recently issued a resounding “no.” On March 20, Judge Debbie O’Dell-Seneca ruled that the state’s constitution doesn’t guarantee corporations a right to privacy—because that’s a privilege reserved for people. Two local newspapers had petitioned O’Dell-Seneca to unseal a 2011 settlement between a western Pennsylvania family and several fracking companies. The Hallowich family had sued over charges that hydraulic fracking operations on their land were causing them chronic nosebleeds, headaches and sore throats. The companies agreed to settle but imposed a strict gag order—something the fracking industry regularly insists upon in health-related lawsuits. Gas extraction company Range Resources Corp. argued before O’Dell-Seneca that the companies’ privacy rights protected them from disclosing the details of the settlement. But the judge disagreed, finding the argument “meritless” because the companies have no right to privacy. In fact, Judge O’Dell-Seneca spent roughly one-third of her 32-page decision forcefully articulating the reasons why corporations are not considered legal persons under the state’s constitution, observing that, “the constitutional rights that business entities may assert are not coterminous or homogeneous with the rights of human beings.” She continued, “It is axiomatic that corporations, companies and partnerships have no ‘spiritual nature,’ ‘feelings,’ ‘intellect,’ ‘beliefs,’ ‘thoughts,’ ‘emotions’ or ‘sensations,’ because they do not exist in the manner that humankind exists.” “The ruling represents the first crack in the judicial armor that has been so meticulously welded together by major corporations,” Thomas Linzey, Community Environmental Legal Defense Fund (CELDF) executive director, told AlterNet. In what it calls a “new civil rights movement,” CELDF has helped more than 100 communities in eight states adopt a Community Bill of Rights to limit corporate personhood. Other activists hope that Judge O’Dell-Seneca’s decisions will boost the movement for an amendment to the U.S. Constitution clarifying that corporations are not people. The Move to Amend Coalition has gathered more than 280,000 online signatures supporting such an amendment, and 12 states have passed resolutions of support. [Source]

Privacy Enhancing Technologies (PETs)

WW – Lookout Will Intercept Privacy-Invading Mobile Ad Networks, Apps

Mobile security vendor Lookout plans to start flagging as adware mobile apps that use aggressive ad networks if they don’t obtain explicit consent from users before engaging in behavior that potentially invades privacy. Ad networks, advertisers and app developers have until June 24 to start conforming to the company’s set of privacy and security best practices for mobile app advertising if they want to avoid being blacklisted. According to a study released by Bitdefender in March, the number of adware apps for Android devices increased by 61% during a five-month period ending in January. In the U.S. in particular, the number of adware apps increased by 35% during the same period. [Source]

WW – The Struggling Do-Not-Track Negotiations

There is friction between industry and privacy advocates leading up to what will be the final face-to-face negotiations within the World Wide Web Consortium (W3C) on establishing a Do-Not-Track (DNT) standard. On Friday, Mozilla posted a new report on the “State of Do Not Track in Firefox.“ Yet, if the W3C cannot come to an agreement this week, the proposed standard may go the way of the dodo. Two main sticking points revolve around default settings and what data may be collected after a DNT signal is activated. Jonathan Mayer, a Stanford University graduate student and participant in the W3C talks, said, “I think it’s right to think about shutting down the process and saying we just can’t agree,” adding, “We gave it the old college try. But sometimes you can’t reach a negotiated deal.” [The New York Times]


WW – Perimeter Security No Longer Enough: RSA

Forget about the perimeter, you’ve already been breached. That’s the mindset that RSA Security wants business and IT leaders want to adopt when it comes to security posture. “If you’re still racking your brains about how to keep the bad guys out, you’re already way behind,” said Art Coviello, the 59-year-old executive chairman of RSA said during a media briefing at the EMC World 2013 conference here. “It’s very likely that your network has already been breached and what you need to focus on is how to minimize and stop the damage.” A recent attack on RSA led it to refocus from authentication to detecting “faint noises” of an attack in progress and immediately plug that leak.” He said, as more companies adopt big data strategies, they are also expanding the attack surface for cybercrime organizations. Unfortunately, many companies are still locked in the old model of reactive security. The RSA chief characterized this as:

  • Perimeter-based and focus on keeping attackers out
  • Static and signature based, primarily using anti-virus and authentication
  • No true defense in-depth

Most organizations that employ this security strategy, he said, spend 80% of their IT budget on perimeter defenses, 15% on monitoring and 5% on response. However, in recent years, enterprises have been dealing with growing amounts of data and an increasing number of devices hooked-up to the corporate network and the Internet. This, Coviello argues, has expanding the threat landscape. A more mature security approach, he said, is one that splits the security emphasis this way:

  • Perimeter defense, 34% of budget
  • Monitoring, 33% of budget
  • Response, 33% of budget

Many organizations however are hampered by three main challenges: budget constraints, lack of skilled personnel and lack of information sharing. He said ideally, organizations should be sharing information on threats they have encountered and methods they have employed to reduce the security risk for everyone. “Information sharing in this matter has to scale out,” Coviello said. “What we need is a neighbourhood watch.” [Source]

WW – Honeywords Would Serve As Hack Alert

Researchers have proposed a technique to thwart account hijacking by seeding cryptographically hashed password files to include dummy passwords, or honeywords. Admins would be alerted when the phony passwords were used. While the technique does not prevent hackers from using dictionary attacks to crack passwords, the attackers will not know if they are using the correct passwords when attempting to access the account. [ArsTechnica] See also: [Facebook] [NakedSecurity] [DigitalTrends]

US – Pentagon Approves BlackBerry 10 and Samsung Galaxy Devices

The US Defense Department (DOD) has cleared Samsung Galaxy smartphones and tablets and Research in Motion’s BlackBerry 10 devices for use by military officials and government workers. A Pentagon spokesperson called the approvals “a significant step toward establishing a multi-vendor environment that supports a variety of state-of-the-art devices and operating systems.” The Pentagon expects to clear Apple iOS6 devices later this month. [Information Week] [ABC News] [The Register]

WW – Bloomberg Reporters Had Access to Client Account Information

Bloomberg news editor-in-chief Matthew Winkler has apologized for employees using the company’s financial data terminals to snoop on customers. Bloomberg reporters had access to login histories, “high-level types of user functions on an aggregated basis,” and help desk inquiries. Having access to the information may have given Bloomberg reporters an edge over other reporters. The terminals, which are in many financial institutions and related organizations, provide financial industry professionals with real-time market data, news, and a messaging service. Companies rent the machines for US $20,000 a year.

Winkler wrote, “Our reporters should not have access to any data considered proprietary. I am sorry they did. The error is inexcusable.” The issue came to light after a Bloomberg reporter commented to a Goldman Sachs executive that another Goldman executive had not logged in recently. The reporters no longer have access to the customer information. [CNN] [CNET] [Wash Post]


US – Use These Secret Google Search Tips to Become Your Own Spy Agency

There’s so much data available on the internet that even government cyberspies need a little help now and then to sift through it all. So to assist them, the National Security Agency produced a book to help its spies uncover intelligence hiding on the web. The 643-page tome, called Untangling the Web: A Guide to Internet Research, was just released by the NSA following a FOIA request. The book was published by the Center for Digital Content of the National Security Agency, and is filled with advice for using search engines, the Internet Archive and other online tools. [Source] [FBI Guidance on open source intelligence collection]

IN – Central Database Has Advocates “Up in Arms”

Privacy advocates are concerned after the Indian government introduced a central monitoring system (CMS) designed to give authorities access to citizens’ phone calls and online communications. The plan aims to thwart terrorism attempts, but the CMS will be accessible by law enforcement and tax authorities and allows the government “a single point of access to ‘lawfully’ intercept voice calls and texts, e-mails, social media and the geographical location of individuals.” Activists claim privacy laws aren’t strong enough to protect citizens against such powers. [The Register]

US – DoJ Obtains Journalists’ Phone Records

The Associated Press is crying foul after discovering the Department of Justice (DoJ) had secretly obtained two months of telephone records for more than 20 corporate and personal phone lines used by as many as 100 AP journalists. In a letter of protest to U.S. Attorney General Eric Holder, AP CEO Gary Pruitt said, “There can be no possible justification for such an overbroad collection of the telephone communications of the Associated Press and its reporters.” DoJ officials would not tell the AP why or how the records were obtained. The DoJ simply notified the AP via letter on Friday the records were in hand. The Obama administration denied knowledge of the investigation. Sen. Patrick Leahy (D-VT) pronounced himself “concerned” by the DoJ actions, as did Sen. Rand Paul (R-KY) and groups like the ACLU and American Society of News Editors. [Source]

AU – Cameras Shut Down Over Privacy Incident

New South Wales Premier Barry O’Farrell has said the government will move to enact legislation to ensure the continued use of closed-circuit television cameras (CCTV) on public streets after an invasion-of-privacy incident prompted officials to turn off the cameras. O’Farrell said CCTV “has proven essential in assisting police” and cameras are “a vital tool in the fight against crime, and I am determined to ensure they remain so.” O’Farrell also has asked the attorney general “to seek urgent advice on the implications and whether legislative amendments are required to validate the continued use of CCTV.” In the U.S., meanwhile, during Sunday’s airing of Meet the Press, a U.S. lawmaker discussed the importance of camera surveillance to curb terrorism in the context of the Boston Marathon bombings. [The Sydney Morning Herald] [CCTV use in spotlight after privacy ruling] SEE ALSO: [All cars may soon get eyes]

US – Boston Bombing Highlights Need for High-Tech Surveillance

Police and politicians across the U.S. are pointing to the surveillance video that was used to help identify the Boston Marathon bombing suspects as a reason to get more cameras on their streets. From Los Angeles to Philadelphia, efforts include trying to gain police access to cameras used to monitor traffic Relevant Products/Services, expanding surveillance networks in some major cities and enabling officers to get regular access to security footage at businesses. Some in law enforcement, however, acknowledge that their plans may face an age-old obstacle: Americans’ traditional fear that more law enforcement powers will erode their privacy. There are also questions about effectiveness. A 2011 Urban Institute study examined surveillance systems in Baltimore, Chicago and Washington, and found that crime decreased in some areas with cameras while it remained unchanged in others. The success or failure often depended on how the system was set up and monitored. There’s general agreement, however, that cameras can be useful to identify suspects after a crime in committed. [Source]

Telecom / TV

US – Judge Admits Evidence Gathered With Cell Tower Spoofing Technology

A judge in Arizona will allow evidence collected by federal investigators through the use of technology known as stingray, which mimics a cell phone tower. The defense had filed a motion to suppress the evidence, claiming that the use of stingray violated Daniel Rigmaiden’s Fourth Amendment rights because there was no warrant for the search of his apartment. The judge determined that Rigmaiden did not have a reasonable expectation of privacy because he had obtained all of those things fraudulently – using others’ identities. Rigmaiden allegedly filed hundreds of phony tax returns using the names of people who had died. He is the alleged mastermind in a scheme that stole US $4 million from the IRS through fraudulent tax returns. The judge also said that the government did not act improperly by failing to inform the magistrate judge who authorized the tracking activities that it planned to use a stingray to track the suspect or explain how the technology worked. [WIRED] [ArsTechnica] [Judge’s order denying motion to suppress evidence]

US – Former FBI Agent Says All Phone Calls in U.S. are Recorded by Government

Tim Clemente, a former FBI counter terrorism agent, hinted on CNN that the government uses an intrusive surveillance network to monitor citizens’ phone calls. On CNN, he discussed the Boston Marathon attacks and telephone conversations between Katherine Russell and her now deceased husband Tamerlan Tsarnaev. Clemente said that the conversations between them will be available to the FBI. He said that no digital communication was secure from the surveillance of the government. This isn’t the first time government surveillance on cellphone conversations has made headlines. Even Senators Ron Wyden and Mark Udall have said the public would be “stunned” to learn the lengths the government went to uncover information. Should the U.S. government have the right to invade privacy if it helps ensure the safety of the American people? [Source]

US – NYC Police Chase Smartphone Thief

“The closest comparison that leaps to mind is a classic chase scene from a 1971 thriller,” is how The New York Times describes a case where New York City police tracked down an individual who stole an iPhone. Law enforcement was able to track the suspect’s movements by using the “Find My Phone” feature. According to the report, 16,000 smartphone devices are stolen per year in New York City. [Source]

US – NY A-G Wants Mobile Phone Companies to Help Thwart Device Theft

New York State Attorney General Eric Schneiderman has sent letters to the CEOs of Apple, Samsung, Google, Motorola, and Microsoft asking them to specify what they are doing to make phones less susceptible to theft. Schneiderman asked why the companies do not offer technology that would make stolen phones useless, which would deter thieves. [CNET]

US Legislation

US – Gov’t: Warrantless E-mail Access OK; Legislators Intro Bills

The U.S. Department of Justice and the FBI have said they don’t believe they need search warrants for access to Americans’ electronic communications. That’s according to internal documents obtained by the ACLU. U.S. Reps. Tom Graves (R-GA) and Kevin Yoder (R-KS) have introduced a bill aimed at protecting consumer privacy by updating protections for electronic communications stored by third-party service providers. The E-mail Privacy Act would extend protections for regular mail to e-mail and cloud data. Meanwhile, Sen. Rand Paul (R-KY) has introduced a bill that would repeal the anti-privacy provisions in the Foreign Account Tax Compliance Act. [The Wall Street Journal]

US – FBI Domestic Investigation Guide Says No Warrant Needed to Access eMail

According to the 2012 edition of FBI’s Domestic Investigations and Operations Guide, the FBI believes it is has the authority to access individuals’ electronic communications and documents without a search warrant. The ACLU obtained the document through a Freedom of Information Act (FOIA) request. The guide indicates the FBI believes all that is required to access such information is a subpoena signed by a federal prosecutor. This policy appears to fly in the face of a 2010 ruling that requires federal authorities to obtain warrants prior to accessing email accounts. At a Congressional hearing earlier this year, DOJ officials acknowledged that the interpretation of the Electronic Communications Privacy Act (ECPA) of 1986 that allows access to opened email and unopened email more than six months old is not longer applicable. [Ars Technica] [ZDNet] []

US – Bill Requiring Data-Use Disclosure, Others Introduced

A new bill that would require app developers to have privacy policies detailing how they share user data. Rep. Hank Johnson (D-GA) has introduced the bill, which would require users to sign off on the privacy policy before using an app, the report states. The user would also be able to ask for data to be deleted upon ceasing to use the app. Politico reports that support for privacy legislation is gaining momentum from the right side of the political aisle; four Republican congressman have introduced two bills that would require law enforcement to obtain warrants before accessing individuals’ e-mail data. [Ars Technica] SEE ALSO: Researchers: Hold Off on APPS Act]

US – Proposed Legislation Would Place Privacy Onus on Mobile App Developers

A US legislator has introduced the Application Privacy, Protection and Security Act of 2013, a bill that would require mobile app developers to take responsibility for the privacy of users’ data. The legislation would require developers to inform users which data the apps collect and how the data are stored, and to obtain consent before the data are gathered. The developers would also need to specify how they will use the collected data, and whether they will be shared with other parties. The FTC would bear the responsibility of enforcing the measure should it become law. [ComputerWorld] [SC Magazine] [Discussion Draft of the Bill]

US – Researchers: Hold Off on APPS Act

Research reports on calls to hold off on the proposed Application Privacy, Protection and Security (APPS) Act . The Marketing Research Association (MRA) is concerned the act would empower the FTC “to define what the term ‘personal data’ meant, as the MRA had already seen in a previous act’s amendment debate that the FTC thought this meant that almost any piece of information could be personally identifiable,” the report states. The MRA is also concerned about the FTC being able to decide the meaning of de-identified data, the act’s mobile app transparency notice requirements and the legislation “not giving industry attempts to introduce a workable privacy code of conduct a chance.”

US – State Legislative Roundup

A number of U.S. states have passed or are working on various types of privacy legislation—from employee privacy to breach notification. Most notably, California has pulled a bill that would have required businesses to disclose to consumers data they have collected on them. The Pennsylvania Senate has passed a law that would require state agencies to notify residents of a breach “as soon as possible.” And the Texas House has also “tentatively” approved similar social media legislation. [Source]

US – U.S. Companies Fight EU-like Proposals

U.S. Internet companies are pushing back against California privacy bills that closely resemble EU proposals. One such bill would require companies to disclose what information they share with third parties and provide them with the corresponding contact information. Another would require social networking sites to remove user information within four days of such a request, akin to Europe’s “right to be forgotten” provision in the draft data protection regulation. Companies have argued the provisions would be detrimental to ad revenues. [Bloomberg]

Workplace Privacy

CA – Director’s ‘Reply All’ Email Discussing Firing of Employee Leads to Lawsuit

We have all experienced that awful feeling after hitting the ‘send’ button and realizing a copy of a sensitive or confidential email has inadvertently gone to the wrong person. Usually, the situation is simply embarrassing. Not so for Maria Fernandes, a Mississauga employee of healthcare communications company Marketforce Inc. In March 2011, she accidentally received an email discussing whether or not she should be fired. Court documents allege that Linda Guerin, the company’s Director of Operations intended to send the email to the company’s lawyers. Too late she realized Fernandes was also on the list and she unsuccessfully sent three recall notices. She also sent an email to Fernandes asking that she delete the message without opening it. Fernandes read it, treated the information in the email as a constructive dismissal and hired a lawyer. A few weeks later, she left her job as a Director of Client Services at Marketforce, which subsequently amalgamated with Sudler & Hennessey ULC. Fernandes claimed in a court filing, she had effectively been fired. She had worked for the company for over six years and was earning $145,000 a year. She is suing her former employer in the Ontario Superior Court for wrongful dismissal. The case has not been heard, so we don’t know if a trial judge will agree that Fernandes was constructively dismissed. The company went to court and argued that because the intended recipients of the email were the company’s lawyers, the information in it was a privileged communication. The company wanted the email removed from the Statement of Claim in Fernandes’ lawsuit. The company’s motion was dismissed and an application to appeal the ruling was also refused. [Source]


16-30 Apri 2013


US – The Power and Limits of Facial Recognition

Salon interviews Carnegie Mellon computer scientist Alessandro Acquisti to explore why, according to Boston’s police commissioner, facial recognition technology did not help identify the Boston bombing suspects. Among the “three or four potential hurdles,” Acquisti said image quality, available data stored in databases to match images, the high cost of such software and the problem of false positives may have all played a role. Meanwhile, Google Executive Chairman Eric Schmidt and Google Ideas Director Jared Cohen “forecast the raft of new innovation and corresponding threats that will arise for dictatorships, techno revolutionaries, terrorists and you” in an NPR interview.

WW – Apple Siri Retains Query Data for Two Years

Apple has responded to concerns raised by the ACLU about ambiguous information in its Siri privacy policy. Terms, such as “disassociated” and “period of time” have now been clarified by Apple spokeswoman Trudy Muller. Apple has revealed that it retains information about questions users ask Siri for as long as two years, although the company does try to anonymize the data. Siri queries are sent to Apple’s servers, where they are assigned an identifier – not an AppleID or email address – that links the voice files to the device from which they were sent. After six months, the identifier is removed, but the query data are retained to help Apple with product testing and improvement. Muller added, “If a user turns Siri off, both identifiers are deleted immediately along with any associated data.” But ACLU Lawyer Nicole Ozer says Apple should do more, including linking to the Siri privacy policy from its FAQ page so consumers can review data-handling practices prior to purchasing the company’s products. [WIRED] [Ars Technica] [ZDNet]

WW – Will ‘Passthoughts’ Replace Passwords?

A new form of biometric security using brain waves to authenticate users has been developed by researchers from the University of California, Berkeley. Rather than a using a password to gain access, a user would submit a “passthought,” generating a unique signal from brainwaves that may or may not prove difficult to duplicate by a hacker. The recent commercialization of external electroencephalogram (EEG) devices — the researchers used a Neurosky MindSet, which connects wirelessly via bluetooth and costs about $100 — makes this technology plausible. secure, and could someday be used to replace traditional passwords. []


CA – Committee Calls for Voluntary OPC Guidelines

The House of Commons Standing Committee on Access to Information and Privacy is not recommending the government give the Office of the Privacy Commissioner (OPC) power to fine companies for breaking federal privacy law, instead calling on the OPC to “establish guidelines“ to help social media and data management companies develop practices that fully comply” with the law. The committee voiced concern that “major social media companies, while doing business in Canada, prefer to be governed by laws other than those of this country.” The guidelines would address how websites and data brokers “collect and use the personal information of Internet users”; however, “any direction provided under the proposed guidelines would only be voluntary,” the report states. [Postmedia News] [Privacy watchdog urged to create guidelines for social media and data brokers] [Privacy and Social Media in the Age of Big Data: Report of the Standing Committee on Access to Information, Privacy and Ethics | PDF version]

CA – Canada’s Grapple with Privacy and Freedom of Expression

A recent Alberta Court of Appeal decision that the province’s privacy law is unconstitutional can be seen as potentially rippling through the country at large and setting up a clash between privacy and freedom of expression, as included in the charter passed in 1982. This clash between privacy and freedom of expression is particularly interesting because while freedom of expression is a “fundamental right” under the charter, there is no similar privacy right, except as listed in the legal rights of those dealing with the justice system. [The Privacy Advisor] SEE ALSO: [Data Protection Laws of the World Handbook: Second Edition – Canada]

CA – Government Announces Software to Enhance Airport Passenger Privacy

Minister of State (Transport) Steven Fletcher has announced that the Canadian government is deploying software on Canada’s full body scanners to enhance passenger privacy. The new Automatic Target Recognition software is now being updated to produce a computer generated stick figure rather than displaying an outline of the passenger’s body, the report states. “Our government is committed to ensuring the safety and security of all passengers traveling through Canadian airports,” Fletcher said. [The Herald] See also: [Detector finds smuggled cellphones even without batteries or SIM cards]

CA – Canadian Gov’t Quietly Drops Lawful Access from Cyber-Security Strategy

The government has recently dropped lawful access from its national cyber-security strategy. The 2010 Cyber-Security Strategy telegraphed the intent to bring forward lawful access legislation with a commitment to introduce a bill:

  • Requiring Internet service providers to maintain intercept capable systems, so that law enforcement agencies can execute judicially authorized interceptions;
  • Requiring Internet service providers to provide police with basic customer identification data, as this information is essential to combatting online crimes that occur in real time, such as child sexual abuse

Yet earlier this month, the government released its Action Plan 2010-2015 for the Cyber-Security Strategy.  It removed all references related to lawful access including the commitment to legislation involving Internet service providers. Given that the document originates with Public Safety – the most ardent supporter of lawful access within the government – the removal of surveillance language provides a strong signal that it is not part of the legislative plan for the foreseeable future. [Source] See also: [N.S. wants ban on spreading images after Rehtaeh Parsons case]

CA – BC Hydro Smart Meters Provoke Class Action Lawsuit

Opponents of smart meters are preparing a class action lawsuit against BC Hydro, alleging installation of the high-tech devices has led to thousands of health, safety and privacy concerns over the last two years.   The group estimates that some 200,000 homes would switch back to analog meters if they had the choice. The coalition’s lawyer is now collecting signatures online for the class action lawsuit, which they plan to file in court in the near future. BC Hydro spokeswoman Cindy Verschoor says Stutters’s new analog meter isn’t approved for use in Canada and if something went wrong it could be liable. The only meters BC Hydro does approve are the smart meters, she said. “In cases where a meter’s expiration date is up or the meter is broken, B.C. Hydro has always had to replace the meter with a new meter,” said Verschoor. B.C. NDP Leader Adrian Dix has promised to submit the smart meter program to an independent review if he’s elected premier. [Source]

CA – BC Homeless People Deserve Privacy Too, Says Advocate

An agency that helps homeless people is waging a battle with government agencies over how much personal information to share about its marginalized clients. The Lookout Society, which receives funding for a New Westminster transition house from Fraser Health, is upset the health authority wants details about the residents, including their names, from the agency’s electronic database. The health authority stated it wanted the information to track services clients receive from the agencies it funds, as well as to monitor their progress.  “Sending all of this really personal information to government, which hasn’t got a really good track record of holding this information private, is not in the clients’ best interest,” said Lookout executive director Karen O’Shannacery. “And there is a question of whether we can legally release all that information.”[Source] SEE ALSO: [POLL: Should Alberta health cards include photo ID?]

CA – Competition Bureau Loses its MLS-Access Case Against TREB

The federal Competition Tribunal has dismissed a high-profile case regarding access to MLS data on a technicality and awarded costs to the Toronto Real Estate Board. In a decision released last week, the tribunal ruled the case, which accuses TREB of anti-competitive behaviour, had been initiated by Melanie Aitken, former commissioner of the Competition Bureau, under the wrong section of the Competition Act. The densely written, 7-page decision — reached after more than 8 months of preparation and 2 months of hearings in Toronto last fall — came as a surprise to some close to the complex case. [Source]


WW – Microsoft Launches Public Awareness Campaign

Microsoft is introducing a public awareness campaign that includes TV, print, billboard and online ads as well as a quiz to determine consumer attitudes on privacy. The quiz aims to get people talking about their attitudes on privacy. “It assesses how much you are interested in managing access to your information online,” said Mary Snapp, Microsoft corporate vice president and deputy general counsel, adding, “It enables you to talk about privacy choices with your friends and family.” Microsoft is rolling out the campaign in Washington, DC, and Kansas City, MO, where competitor Google “might be exposed” an Ad Age report notes. [The Washington Post] See also: [Washington Post: As cyberthreats mount, hacker’s conviction underscores criticism of government overreach]

US – The ZIP Code Data Trail

CNN reports on the data trail established when consumers willingly give their ZIP code to offline retailers when making a purchase. The combination of a name—given during a credit card purchase—and a ZIP code can help data brokers link a consumer’s purchasing habits with publicly available records for the purposes of targeted advertising. Privacy Rights Clearinghouse Director of Policy Paul Stephens said, “For the majority of the country, the ZIP code is going to be the piece of the puzzle that is going to enable a merchant to identify you.” The Massachusetts Supreme Court recently ruled that ZIP codes are personal information, preventing retailers from asking for ZIP codes for marketing purposes. [CNN]

US – Survey Shows Consumers Want Some Targeted Ads

A Digital Advertising Alliance (DAA) survey has shown that nearly 70 percent of respondents would like at least some targeted advertisements. “It’s unfortunate that targeted advertising has been conflated with all kinds of privacy fears,” said DAA Managing Director Lou Mastria, adding that he hopes the study will inform the debate surrounding the necessity of legislation. “We asked real specific questions about the real-world proposition, the value exchange between advertising and the experience on the Internet,” he continued. “And that yields clear answers.” However, Annenberg School of Communications Prof. Joseph Turow analyzed the poll and expressed doubts over the validity of results. [Ad Week]

WW – Study Shows Major Generational Divide On Online Privacy Attitudes

A study published this week by the USC Annenberg Center for the Digital Future found that young adults don’t care as much about online privacy as older Internet users. Individuals between the ages of 18 and 34, known as Millennials, were found to be more willing to hand over their personal data or web behavior to online businesses. Although 70% of young adults agreed that companies should never be allowed to access their personal data, compared to 77% by those older than 35, Millennials were more willing to give up some privacy if they benefited from it, such as receiving coupons or other business deals. More than half of Millennials surveyed said they would be willing to trade personal information for something in return, compared to just 40% of those aged 35 and older. Both age groups agreed, however, that personal data being used for targeted advertisements was a concern. Only 25% of young adults agreed with targeted ads, compared to 19% of Internet users age 35 and older. “Online privacy is dead — Millennials understand that, while older users have not adapted,” said Jeffrey I. Cole, director of the USC Annenberg Center for the Digital Future. “Millennials recognize that giving up some of their privacy online can provide benefits to them. This demonstrates a major shift in online behavior — there’s no going back.”

“We are seeing a whole new set of values driving Millennials in their behavior online,” said Greg Bovitz, president of Bovitz Inc, co-publisher of the study. “The fact that Millennials are willing to part with personal information creates new opportunities for businesses to develop marketing models that capitalize on the wants of this generation of Internet users.” [Source]

CA – Bank Fraud, Computer Security Top Survey of Canadians’ Privacy Concerns

Canadians feel the grip on their privacy slipping away in a world where web sites, mobile devices and even eyes in the sky can track their every move, a new poll suggests. A growing unease over how well personal information is safeguarded is among the findings of a newly released survey commissioned by the federal privacy watchdog. The poll suggests two-thirds of Canadians are concerned about the protection of their privacy — with a quarter of respondents saying they are “extremely concerned.”  Many Canadians feel a growing sense of helplessness when it comes to protecting their privacy. Seven of every 10 people think their personal information has less protection today than it did a decade ago. More than half of those surveyed felt they did not know enough about new technologies to determine if their privacy is at risk. The survey also suggests most Canadians are concerned about bank fraud, credit-card fraud, computer security and identity theft. Despite these concerns, the poll found most Canadians remain largely unaware of their privacy rights. Some 63% rated their knowledge of privacy laws either low or in the neutral range. That said, Canadians’ knowledge of their privacy rights is higher now than in previous years, the survey suggests. [Source]


US – CFPB Head Defends Consumer Data Collection Plan

Testifying at a Senate Banking Committee hearing, U.S. Consumer Financial Protection Bureau (CFPB) Director Richard Cordray defended his agency’s data collection plans. He said the data collected is not privacy-invasive and parallels techniques already used in the private sector. “The big banks know more about you than you know about yourself,” Cordray said, “And me, too, as a consumer.” The CFPB is currently collecting data from credit bureaus and requesting large amounts of data from major banks in order to improve the agency’s rule-writing and supervisory work, the report states. Sen. Mike Johanns (R-NE) said, “To many people, this is going to sound downright creepy.” Cordray said, “The notion that we’re tracking individual consumers or invading their privacy is quite wrong.” [Bloomberg]

US – US Amasses Big Data on 10 Million People; Banks Protest

The new US consumer finance watchdog is gearing up to monitor how millions of Americans use credit cards, take out mortgages, and overdraw their checking accounts. Their bankers aren’t happy about it. The Consumer Financial Protection Bureau is demanding records from the banks and is buying anonymous information about at least 10 million consumers from companies including Experian. While the goal is to sharpen enforcement and rule-making, banking executives question why the bureau is collecting so much without being more specific about the benefits. [Source]


US – IRS Will Obtain Warrant Prior to E-mail Access

In response to news last week that the Internal Revenue Service (IRS) does not obtain warrants prior to accessing suspects’ electronic communications, IRS Acting Commissioner Steven Miller said the no-warrant policy for e-mails will be abandoned. Testifying in front of the Senate Finance Committee , Miller said it’s currently the IRS’s policy to get a “search warrant in advance” of accessing a suspect’s e-mail, but he said he didn’t know if that policy extended to other electronic communications such as Facebook or Twitter. [CNET News]

Electronic Records

US – New HIPAA Rules Create New Responsibilities

With the final omnibus HIPAA and HITECH rule released by the Department of Health and Human Services in January, there are new concerns for healthcare privacy. Business associates and subcontractors can now be held directly liable for any breach of personal health information (PHI) and are now responsible for breach reporting. Breach documentation must be maintained for six years, and there are new limits on use and disclosure of PHI. Bowen writes that “adherence to HIPAA must be an ongoing, full-time effort,” and “privacy is not a one-and-done; it must become part of the fabric of your organization.” [Becker’s Hospital Review]


US – Judge Will Not Force Man to Decrypt Hard Drives

A federal judge in Wisconsin said that forcing a suspect to decrypt his hard drives would violate his Fifth Amendment right against self-incrimination. Judge William E. Callahan called the decision a “close call.” [Ars Technica] [WIRED] [Text of  Ruling]

EU Developments

EU – Committee Votes Down PNR Bill

The EU Parliament’s Civil Liberties Committee voted against plans for sharing airline passenger data among EU nations. The plans call for a passenger name registry, similar to a current agreement with the U.S., that would share the names, contact details and payment data of passengers. Dutch MEPs Sophie In’t Veld and Jan Philipp Albrecht welcomed the vote, the report states, noting that citizen rights and the rule of law had been considered first. UK MEP Timothy Kirkhope said the vote was “irresponsible” and accused other MEPs of putting “ideological dogma before a practical and sensible measure that would have seriously assisted our fight against crime and terror.” BBC News provides video of the Parliamentary debate. [PCWorld] [EU parliament committee votes against air passenger data sharing bill]

EU – Coalition: Revised Law Would Undermine Privacy       

A coalition of international civil liberties groups is contending that proposed changes to the EU’s data protection regulation “would strip citizens of their privacy rights.” The move to create one regulation to replace the existing data protection laws in the EU’s 27 member states “obviously requires compromise, but many parliamentarians report never seeing lobbying on such a scale before,” the report states, noting the civil liberties coalition, which includes such groups as EDRI and Privacy International, has set up a website “to help concerned citizens contact their representatives in the Parliament.” [IDG News Service]

EU – EDPS Hustinx Outlines Road Ahead for Regulation

As the opening speaker at the IAPP Europe Data Protection Intensive in London, European Data Protection Supervisor Peter Hustinx laid out his predictions for what the much-anticipated EU privacy regulation would finally look like when adopted. Confident that it would meet deadline and be in place by the spring of 2014, Hustinx said, “my impression is that there is a basic consensus that the current architecture of the regulation is the right one…Now the focus is on getting it right, and the key word there is balance.” [IAPP Privacy Advisor]

UK – Former ICO Wants Rewrite of Chapter IV

Noting the prescriptive and inflexible nature of the EU’s draft data protection regulation, Former UK Information Commissioner Richard Thomas used his keynote address here at the IAPP Data Protection Intensive in London on Thursday to outline an alternative framework that would focus more simplistically on outcomes, provide incentives for regulatory requirements and allow for as much self-enforcement as possible. [Source]

EU – Privacy Regulators Criticize Companies’ Tactics

Criticism has been levied by German data protection regulators on Google and Facebook in light of investigations into the companies’ privacy practices. Regulators said the companies have used “delay tactics” and have exercised “impertinent” behavior during the probes, the report states. Federal Data Protection Commissioner Peter Schaar said “Google will keep making attempts to delay investigations through continuous correspondence and always freshly repackaging arguments.” Google was fined by Hamburg’s data protection commissioner earlier this week. A German appeals court has also rejected an attempt by Schleswig-Holstein Data Protection Commissioner Thilo Weichert to require Facebook to allow users to register under pseudonyms. Facebook said, “We’re seeking to have a constructive dialogue with all groups, also with our greatest critics.” [Bloomberg]

EU – Hustinx Outlines Road Ahead for Regulation

As the opening speaker at the IAPP Europe Data Protection Intensive in London, European Data Protection Supervisor Peter Hustinx laid out his predictions for what the much-anticipated EU privacy regulation would finally look like when adopted. Confident that it would meet deadline and be in place by the spring of 2014, Hustinx said, “my impression is that there is a basic consensus that the current architecture of the regulation is the right one…Now the focus is on getting it right, and the key word there is balance.” [Source] See also: [Vodafone’s Deadman: Show Us the Carrots]

EU – Working Party Dislikes EC’s Impact Assessment Template

The Article 29 Working Party has criticized the European Commission’s recommended template for data protection impact assessments (DPIA) on smart meter use. “The submitted DPIA Template does not directly address the actual impacts on the data subjects, such as, for example, financial loss resulting from inaccurate billing, price discrimination or criminal acts facilitated by unauthorized profiling,” said the Working Party. Smart metering is due to take effect in the UK in 2014, but privacy concerns have been raised. [] [The Working Party’s opinion]

US – FTC’s Brill Looks to Smooth EU-U.S. Privacy “Rift”

The Wall Street Journal reports on comments made in Brussels by FTC Commissioner Julie Brill. “I don’t want to say there’s confusion about the U.S. privacy regime,” Brill told reporters, “but there does seem to be a lack of understanding about how robust it is and how much enforcement work we actually do and how strong the laws are that we do have in sensitive areas.” Brill noted, “Last year we issued what I call our big privacy rethink…Many of the principles we talked about are actually reflected in the proposed EU regulation.” Facebook Chief Operating Officer Sheryl Sandberg said, “I believe there is a perception and fear that because we are American we don’t take privacy as seriously as Europeans do…If there is a single American who cares as much about privacy—just one—as someone in Germany, then we have to understand it.” [Source]

EU – Vote on Regs Delayed Until Late May

A final vote on the EU data protection proposal was scheduled to take place this week, but the Civil Liberties, Justice and Home Affairs Committee (LIBE) has postponed it until May 29-30. Industry is lobbying heavily against the proposal, which they say will stifle business and innovation in member states. John Pooley, of specialist agency the Data Partnership, says the proposed changes “will render both targeting and analytics and almost anyone currently engaged in digital marketing to have to review their current practices.” The delay is being attributed to an effort to concentrate on the fallout over the banking crisis in Cyprus, the report states. [Marketing Magazine]

Facts & Stats

US – The Consumer Cost of a Data Breach

New research has revealed the consumer costs of last year’s breach of the Utah Department of Health. On average, according to Javelin Strategy & Research, “each incident will result in more than $3,300 in losses” and each victim “will spend about 20 hours and $770 on lawyers and time lost from work to resolve the case.” Meanwhile, Bloomberg reports that more clinics and hospitals are investing in biometric technology—such as iris scans—to improve patient safety and curb identity theft. U.S.-based data breaches may have cost the healthcare industry as much as $7 billion a year, according to a Ponemon Institute study. [The New York Times]


JP – Japan’s National Police Wants ISPs to Block Tor for Those Who “Abuse” It

Japan’s National Police Agency (NPA) may begin asking ISPs there to block Tor, a network that helps people anonymize their online activity. (Tor stands for The Onion Router). The ISPs would be asked to block people’s use of Tor if those people had been found to be abusing the network. Japanese police were thwarted in their efforts to nab a cybercriminal because he used Tor. The NPA’s plan comes in response to a recommendation from a panel brought together to help decide how to fight crime that is committed with the help of Tor. [ArsTechnica] [BBC] [The Register]


US – CFPB Head Defends Data Collection Plan

Testifying at a Senate Banking Committee hearing, U.S. Consumer Financial Protection Bureau (CFPB) Director Richard Cordray defended his agency’s data collection plans. He said the data collected is not privacy-invasive and parallels techniques already used in the private sector. “The big banks know more about you than you know about yourself,” Cordray said, “And me, too, as a consumer.” The CFPB is currently collecting data from credit bureaus and requesting large amounts of data from major banks in order to improve the agency’s rule-writing and supervisory work, the report states. Sen. Mike Johanns (R-NE) said, “To many people, this is going to sound downright creepy.” Cordray said, “The notion that we’re tracking individual consumers or invading their privacy is quite wrong.” [Bloomberg]

CA – Digital Cash Replacement from Royal Canadian Mint in the Works

Secure chips have already made it into our credit and debit cards. Next up, they could replace pocket change. The Royal Canadian Mint has been pushing forward with its “MintChip” prototype, a digital cash replacement aimed at transactions under $10, since it surfaced a year ago. The Crown corporation is factoring in developer feedback, hiring a product manager and consulting with the financial sector. MintChip, as envisioned, could enable paying someone back by tapping phones together, scanning a QR code to donate to charity, or clicking to spend cents on an online article. However, it’s not known when — or even if — the MintChip will be released into circulation. A Finance Department official said the Crown corporation is consulting with the federal government on potential next steps, and currency changes can require legislative approval. To even attempt to create such a system sets Canada apart from other countries, said electronic transaction specialist Dave Birch. “To the best of my knowledge, Canada is the only mint that’s seriously experimenting with this sort of thing,” he said. [Source]


WW – Increase in Content Removal Requests from Governments

According to Google’s most recent transparency report, the company received more requests from governments to remove content in the last six months of 2012 than during any pervious six-month period for which records have been kept. Between July and December 2012, Google received 2,285 requests from governments around the world to remove a total of 24,179 pieces on content. The figures for the first half of 2012 were 1,811 requests to remove 18,070 pieces of content. Many of the requests came from governments seeking the removal of content critical of government officials. Google does not automatically comply with content removal requests, but instead scrutinizes the legality of requests and considers each request’s scope. [CNet] [ZDNet] [Google’s Transparency Report]

US – Will Public Release of Privacy Audits Become the Norm?

Last week, Facebook released some details of its FTC-mandated, independent privacy practice audit. This Privacy Perspectives blog post looks into why this could be good for the privacy profession. [Source] [Source] [New York Times: Privacy Practices Up-to-Par, Facebook Audit Reveals]

US – Facebook: Audit Finds Privacy Practices Sufficient

Facebook says that an independent audit found its privacy practices sufficient during a six-month assessment period that followed a settlement with federal regulators. Facebook Inc. said it submitted the findings to the FTC. The audit was a required part of the social networking company’s settlement with the FTC last summer. The settlement resolved charges that Facebook exposed details about its users’ lives without getting the required legal consent. Facebook provided a copy of its letter to the FTC, along with a redacted copy of the auditor’s letter, to The Associated Press two days later. The redacted portion contains trade secret information and does not alter the auditor’s findings, the company said. The audit, which found that Facebook’s privacy program met or exceeded requirements under the FTC’s order, covered written policies as well as samples of its data. “We’re encouraged by this confirmation that the controls set out in our privacy program are working as intended,” said Erin Egan, Facebook’s chief privacy officer for policy,” in an emailed statement. “This assessment has also helped us identify areas to work on as Facebook continues to evolve as a company, and improve upon the privacy protections we already have in place. We will keep working to meet the changing and evolving needs of our users and to put user privacy and security at the center of everything we do.” Facebook did not disclose the full, 79-page report or specific details on shortcomings in its privacy practices that were revealed by the audit. Spokeswoman Jodi Seth said Facebook declined to disclose such details “based on contractual obligations and the possibility of security and competitive vulnerabilities.” The company has asked the FTC to keep the redacted information private, saying it would put it and its auditor at a competitive disadvantage and because it could reveal possible limitations of its privacy program. The name of the accounting firm is also redacted but that information will be released when the FTC responds to the audit. [Source]


US – ‘Biobank’ Bill Threatens Genetic Privacy

Minnesota health officials have built an unauthorized state biobank of DNA and health data on individuals. They admitted in testimony to the Legislature that the Minnesota Department of Health has been collecting genetic information for decades without specific legislative authority. They now want the Legislature to retroactively legalize what they did — and let them keep doing it into the future. The department’s biobank legislation — wrapped into the omnibus data practices bills, H.F. 695 and S.F. 745 — is ready for a floor vote in the Minnesota House and Senate. [Source]


WW – Google’s Predictive Search Comes to iPhone, iPad

Google’s predictive search feature, Google Now, uses the cache of data Google stores on individual users to target them with the information it deems most relevant to their needs at any given moment. The feature was rolled out for iPhones and iPads this week and is based on users’ search histories, location information and Gmail confirmations for flights, hotel bookings or restaurants, for example. “We’re providing answers before you’ve even asked the question,” said Google’s director of product development. [CNN] SEE ALSO: [Book Review: The New Digital Age: Reshaping the Future of People, Nations and Business]

EU – Google Chiefs to Face Prosecutorial Appeal in Video Case

Google’s Senior Vice President David Drummond, Chief Legal Officer Peter Fleischer and Chief Privacy Counsel George Reyes head back to Italy to face an appeal brought by the prosecutor of a 2010 case over alleged privacy offences involving a video posted to the now-defunct Google Video service. The executives were originally given suspended six-month sentences, which were then overturned . The report states the prosecutor will now appeal the case to the Italian Court of Cassation arguing that employees can be responsible for content uploaded by users and that services should be responsible for pre-screening user-created content. [PCWorld]

EU – 145,000-Euro Fine for Google

Hamburg authorities have fined Google 145,000 euros for collecting data from unsecured wireless networks while collecting photos for its Street View services. Google has said the collection was a mistake and the company never analyzed the information, which it has expunged. But Hamburg Data Protection Commissioner Johannes Caspar said, “In my opinion this case constitutes one of the biggest known data protection violations in history,” noting that by law, the maximum fine his office can levy for an accidental violation is 150,000 euros. [The Economic Times] [Google Fined a Pittance for Street View Data Collection: CNet | BBC | ComputerWorld |]

WW – Google Play Store Changes Content Policy

The Google Play Store has changed its Content Policy to require that developers not update apps outside of the store. Specifically, “an app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play’s update mechanism.” Apps that do not abide by the new requirement will be labeled “dangerous products” and may be removed from the store. The policy change may have been prompted by Facebook’s introduction last month of a silent update feature for Facebook for Android. [CNet] [Ars Technica] [ZDNet] [h-Online]

WW – BadNews Malware Snuck Into Google Play Apps (

Malware known as BadNews has been downloaded from Google Play at least two million times. BadNews was found to have been hidden in at least 32 separate apps from four different developers. The malware was added to the apps after they had been submitted to Google Play. Infected Android devices connect to remote servers every four hours to send harvested data, including device phone numbers and unique serial numbers. The remote servers also instruct infected devices to install a Trojan horse program called AlphaSMS that sends text messages to numbers that incur charges. Google has removed the infected apps. [The Register] [ArsTechnica] [SC Magazine] SEE ALSO: [Facebook Used to Market Banking Trojans]

US – ACLU Files Complaint With FTC Over Android Security Updates

The American Civil Liberties Union (ACLU) has filed a complaint with the US Federal Trade Commission (FTC) asking that the agency investigate major wireless phone service carriers for failing to deliver updates for known security issues in the Android operating system. The complaint alleges unfair and deceptive business practices for failing to distribute the patches and failing to inform customers that their devices are vulnerable to attacks. While Google has issued updates for the flaws, the carriers have not pushed them out in a timely manner. Apple issues its own updates for its phones, but individual carriers bear the responsibility of pushing out Android fixes. [WIRED] [h-Online] [ArsTechnica] [Washington Post] [Text of Complaint]

US – Google Wallet Update Upsets Privacy Advocate

Google’s update to an e-commerce tool used by vendors to manage sales is merely for show, charges a consumer advocacy group, which adds that the company should be more clear about its privacy policies. The update, used in conjunction with Google Play and other services, displays less of a customer’s personal information to the vendor than the previous iteration. The update to the e-commerce tool is rolling out to vendors now and over the next few weeks. But consumer advocacy site Consumer Watchdog says Google’s move is not an “actual” change, and it’s demanding more privacy policy accountability from Google. John Simpson, Privacy Project director at Consumer Watchdog, described his organization’s complaints from February and March filed with the U.S. FTC and the California Attorney General’s office about the Google Merchant Center. “Google was passing on the name, address, and e-mail address of the app buyer. We alleged that it violated policy law and the Buzz agreement.” “Google is a serial privacy violator,” said Consumer Watch’s Simpson, adding that Google’s “statement is pure bafflegab.”  [Source]

WW – Google Releases Glass App Developer Guidelines

Google has released “extensive” guidelines for software developers aiming to build apps for the company’s wearable, Internet-connected glasses. According to the report, the guidelines are “much more restrictive” about Google Glass than has been the case with other products because of perceived consumer privacy concerns. Developers cannot sell ads, collect user data or share data with ad companies. A Forrester analyst said, “What we find is the more intimate the device, the more intrusive consumers perceive advertising is.” Google said to developers, “Be honest about the intention of your application, what you will do on the user’s behalf and get their explicit permission before you do it.” [The New York Times] See also: [What is the proper etiquette for Google Glass in a public bathroom? Nothing, really, according to Scoble]

Health / Medical

US – Parents Say HIPAA Risks Public Safety

Parents say there are risks to public safety when it comes to HIPAA privacy standards. At a recent hearing at the House Oversight and Investigation Subcommittee of the Energy and Commerce Committee, parents articulated concerns about HIPAA’s “limiting nature.” One parent, whose son died of a heroin overdose, testified that HIPAA rules prevented him from obtaining his child’s medical data—data that could have contributed to the child’s wellbeing. Some experts say the problem isn’t with HIPAA but with how some organizations interpret it, the report states. [HealthIT Security]

Horror Stories

CA – More Than 3,000 Gov’t Breaches in 10 Years

Documents tabled in Parliament this week show that the federal government has experienced more than 3,000 data and privacy breaches in the past 10 years, affecting more than 725,350 Canadians. Less than 13 percent of those breaches were reported, prompting NDP critic Charlie Angus to say, “As a standard, we should involve the privacy commissioner when Canadians’ privacy is breached,” noting that there may have been circumstances when Canadians were put at risk and not informed. [PostMedia] [Geist: Thousands of government breaches point to need for reform] [Public data breaches at all-time high] See also: [CA: IIROC broke own rules by losing private data — can we believe its explanation?]

US – Health Info Breach at 911 Center       

A 911 emergency dispatch center in Monroeville, PA, is notifying all users of the service in 2012 or 2013 that they should “take all necessary steps to make sure that all your personal information is safe and secure.” A complaint alleges the center e-mailed personal information to a former police chief and allowed callers’ medical information to be anonymously accessed using generic user names and passwords. An investigation into the breach is underway, but investigators do not yet have “any specifics on who had access to the system or the dates the system had been breached.” [Post-Gazette] See also: [NL: Another breach of privacy for Eastern Health]

WW – 50 Million Passwords Hacked

Cyberthieves have breached LivingSocial, accessing the passwords of more than 50 million users. It is not yet known how the attackers breached the systems, but the passwords were salted and hashed, the report states. With the passwords, the hackers potentially had access to user names, e-mail addresses and birthdays; credit card and other financial data were not affected. LivingSocial CEO Tim O’Shaughnessy said the company is “redoubling efforts to prevent any issues in the future.” [PC Magazine] [CNet] [The Register] [ComputerWorld]

US – “Unsecured” E-mails Cause Health Data Breach

A Texas-based hospice center is informing more than 800 patients of a data breach after an employee allegedly sent out at least two “unsecured” e-mails containing sensitive patient information. The e-mails in question included recent referrals and admission activity reports, and compromised data included patient names, referral sources, admission and discharge dates and insurance providers. Hope Hospice discovered the breach during a routine security check and has said employees have since gone through additional training. [Health IT Security]

US – Verizon: One In Five Data Breaches Are the Result of Cyberespionage

IDG News Service reports that Verizon will soon publish its 2013 Data Breach Investigations Report, which compiled information from over 47,000 security incidents and 621 confirmed data breaches. The study explored financially motivated criminal attacks as well as cyber espionage. Analysts noted that in “four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim’s network” and that mobile devices and cloud technologies were not major targets. Meanwhile, the British Department for Business, Innovation and Skills says small- and medium-sized businesses (SMBs) are increasingly the targets of cybersecurity attacks, and it will extend its Innovation Vouchers scheme to SMBs, allowing them to apply for funding to invest in cybersecurity. [PC World]

UK – The Guardian’s Twitter Accounts Hijacked

The same group that hijacked the Associated Press’s Twitter feed last week is now claiming responsibility for taking over Twitter accounts belonging to the UK newspaper The Guardian. The Syrian Electronic Army claims to have taken control of 11 Twitter feeds at the Guardian. The attack occurred over the weekend; as of Monday, Twitter had suspended most of the hijacked Guardian accounts. Following last week’s AP incident, which resulted in a phony tweet claiming that there had been an attack on the White House, Twitter announced that it is conducting internal testing of two-factor authentication. [ZDNet] [InformationWeek]

WW – Twitter Warns News Companies to Improve Security

Twitter has contacted major news organizations around the world, warning them that attacks like those against the Associated Press and The Guardian are likely to continue, and advising them to examine their internal policies for using social media. Twitter made suggestions, such as increasing the strength of account passwords and designating just one computer to use for Twitter. [BBC] [ZDNet]

Identity Issues

US – Professor Re-Identifies DNA Study Volunteers

Working with her research assistant and two students, Harvard Data Privacy Lab Director Prof. Latanya Sweeney scraped data on anonymous volunteers who shared their DNA with the Personal Genome Project, re-identifying more than 40 percent of the sample. Profiles of anonymous participants include information on medical conditions, illegal drug use, alcoholism, depression, sexually transmitted disease and medications, as well as DNA sequences, the report states, noting Sweeney’s team was able to discern identity from ZIP code, date of birth and gender “combined with information from voter rolls or other public records.” Sweeney has set up a website to help individuals determine how easily they could be identified by entering those three pieces of information. [Forbes]

WW – Microsoft to Begin Offering Two-Factor Authentication

Microsoft will start offering two-factor authentication to Microsoft Account users on an optional basis. The scheme will be much like those used by Google, Apple, and Facebook in which accounts are protected with both a password and a one-time passcode sent to users in a text message or generated by an authentication app. Users will have the opportunity to designate certain devices as trusted on which they do not need to use two-factor authentication. [ArsTechnica] [ComputerWorld] SEE ALSO: [Microsoft asks: What’s your online privacy type?]

US – AirBNB Starts Verifying User Profiles

Airbnb, which helps people find vacation rentals all around the world, today will start verifying the identity of all users by asking for their real-life papers, the company announced. Airbnb is asking both travelers and those who have property listings to provide two forms of identification for a new verification process. The company will take people’s IDs from Airbnb reviews and social media sites, like LinkedIn or Facebook, and will ask users to fill in information only they would know or scan a photo ID to confirm a match. For now, the company plans to require 25% of its users in the U.S., chosen at random, to complete the process. It intends to expand the requirement worldwide so that all Airbnb members will be verified. [Source]

Intellectual Property

US – Class-Action Incites Music Industry Privacy Concerns

A proposed class-action lawsuit has some in the music industry concerned that artists’ financial privacy will be breached. The proposed class-action was launched against Universal Music Group (UMG) by two musicians seeking damages based on treating income from online downloads as “sales” instead of “licenses.” The plaintiffs’ lawyers want UMG to disclose download revenue tied to particular artists to calculate potential damages. Lawyers for UMG said, “Under plaintiffs’ proposal, plaintiffs’ attorneys and music-industry professionals could review the private financial information of thousands of recording artists with whom they may have adverse relationships and who have not indicated any desire to be part of any class or to be represented by these attorneys or professionals.” [Hollywood Reporter]

WW – New Media Asset Tracking System Introduced

A media industry organization has announced the results of a two-year study on a new coding system that tracks media assets—from video clips to commercials. The Coalition for Innovative Media Measurement said the system would increase revenue by the billions for media companies and help them determine where, when and how content is viewed. One analytics representative said the system would help advertisers specifically tailor ads and allow media companies “to spend less time putting the data together and more time doing analysis.” Meanwhile, a new survey from the University of Southern California reveals that Millenials—those between the ages of 18 and 34—tend to be more willing to share personal information with marketers, particularly when there’s a relevant exchange of information. [The New York Times]

US – Erroneous DMCA Takedown Notices Problematic (April 22, 2013)

The Fox broadcasting company has sent Digital Millennium Copyright Act (DMCA) takedown notices regarding URLs linking to a novel, written by Cory Doctorow, called “Homeland.” Fox produces a television show with the same name; the two are in no way related. Further complicating matters is the fact that Doctorow published his novel under a Creative Commons license, which means its availability on BitTorrent is completely legal, so Fox’s takedown notices are causing legitimate content to be removed from the Internet. There is little recourse in situations like this. The DMCA requires that the takedown notices be issued in good faith, but it is easy enough to blame the erroneous notices on carelessness. In any case, the party whose content was wrongly taken down can recover only costs and attorney’s fees. [ArsTechnica] [DMCA robo-notices have been problematic for some time. For a hilarious (and terrifying) account of copyright shenanigans and DMCA notices, see: ]

Internet / WWW

US – ITA Says Safe Harbor Covers Cloud Technology

The U.S. Department of Commerce’s International Trade Administration (ITA) has published a report saying that U.S. companies’ compliance with Safe Harbor principles guarantees sufficient data protection, regardless of whether outsourcing contracts involve cloud computing. The ITA says because Safe Harbor is binding on all countries in the European Economic Area, EU data protection authorities cannot “unilaterally refuse to recognize Safe Harbor certification as a valid means of demonstrating that a service provider ensures an adequate level of data protection,” contrary to an Article 29 Working Party opinion released last year. One expert suggests the ITA has “not recognized some regulatory burdens facing some clients of U.S. cloud providers.” [] [Source]

US – FTC Urges States to Look at Data Brokers

In a speech to the National Association of Attorneys General, FTC Commissioner Julie Brill urged states to be more active in investigating data brokers for contravening the Fair Credit Reporting Act. The FTC recently sent out letters warning companies that compile data on individual’s rental histories. [Lexology]

US – FTC Seeks Input on “Internet of Things”

The FTC is seeking input from the public through June 1 concerning the privacy implications of the “Internet of Things.” The term describes the ability of cars, appliances and medical devices to communicate with each other and people. Ahead of a public workshop to be held in November, the FTC aims to determine how privacy will be balanced with the benefits of such technology, among other concerns. FTC staff seeks input on the privacy and security implications of these developments. 

  • What are the significant developments in services and products that make use of this connectivity?
  • What are the various technologies that enable this connectivity?
  • What types of companies make up the smart ecosystem?
  • What are the current and future uses of smart technology?
  • How can consumers benefit from the technology?
  • What are the unique privacy and security concerns associated with smart technology and its data?  For example, how can companies implement security patching for smart devices?  What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
  • How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances? [FTC Press Release]

Law Enforcement

US – Apple, AT&T and Verizon Receive Lowest Marks in EFF Privacy Report

In its annual review of tech companies’ sharing of user data with law enforcement and government, the Electronic Frontier Foundation (EFF) says companies have improved markedly since last year, but the results may still be “sobering.” The EFF grades companies on six categories, including whether they require a warrant to share data, inform users of requests and publish transparency reports. “When you use the Internet, you entrust your conversations, thoughts, experiences, locations, photos and more to companies like Google, AT&T and Facebook,” the EFF wrote. “But what do these companies do when the government demands your private information? Do they stand with you? Do they let you know what’s going on?” [San Francisco Chronicle]

US – Industry, Scholars Back Drone Innovation

The Association for Unmanned Vehicle Systems International has written a letter to Google Executive Chairman Eric Schmidt expressing concerns “that such an influential tech industry executive” would support bottling up a “promising technology.” Schmidt recently expressed concerns about drones. Meanwhile, an op-ed for Wired makes the case for why Americans should not be afraid of drones. George Mason University researchers Eli Dourado, Adam Thierer and Jerry Brito, in a Federal Aviation Adminstration filing, argue that constraining commercial drones to strict privacy policy requirements is “unwise and premature.” Dourado writes, “It’s true that opening up U.S. airspace…will have some important privacy implications to consider. But it’s even more important that we consider the effect of too-early, heavy-handed regulation on future innovation.” [Bloomberg Businessweek]

US – Industry, Scholars Back Drone Innovation

The Association for Unmanned Vehicle Systems International has written a letter to Google Executive Chairman Eric Schmidt expressing concerns “that such an influential tech industry executive” would support bottling up a “promising technology.” Schmidt recently expressed concerns about drones. Meanwhile, an op-ed for Wired makes the case for why Americans should not be afraid of drones. George Mason University researchers Eli Dourado, Adam Thierer and Jerry Brito, in a Federal Aviation Adminstration filing, argue that constraining commercial drones to strict privacy policy requirements is “unwise and premature.” Dourado writes, “It’s true that opening up U.S. airspace…will have some important privacy implications to consider. But it’s even more important that we consider the effect of too-early, heavy-handed regulation on future innovation.” [Bloomberg Businessweek]

US – SCOTUS: Warrant Needed for DUI Testing

The Supreme Court has ruled that in most cases police need to try to obtain a search warrant prior to ordering blood tests for suspected drunk drivers. The court sided with the defense in Missouri v. McNeely, which argued that taking the defendant’s blood without his consent or a warrant violated his Fourth Amendment rights. Justice Sonia Sotomayor wrote that natural dissipation of alcohol in the blood is not generally a sufficient reason to dispense with the warrant requirement. The court did not offer guidance on when police may obtain a blood sample without a warrant, but the report states Justice Anthony Kennedy said an upcoming case may give the court an opportunity to say more. [NPR]

Offshore / Cloud Computing

WW – Former Hosting Provider Allegedly Placed backdoors on 2,700 Servers

A man who was once employed by hosting provider Hostgator has been arrested and charged with breach of computer security. Eric Gunnar Gisse worked as an administrator at Hostgator from September 2011 through February 15, 2012. He allegedly installed backdoors on more than 2,700 company servers. The day after Gisse was dismissed from his position, officials at Hostgator detected the backdoor application that he had installed. The backdoor was disguised to look like a Unix administration tool. [ArsTechnica]

Online Privacy

WW – Do Not Track Framework Doc Stirs Controversy Ahead of W3C Meeting

There are rumblings within the World Wide Web Consortium (W3C) leading up to next week’s Do-Not-Track (DNT) meeting after a document was distributed among members “rendering the meeting practically moot.” The “Draft Framework for DNT Discussions Leading Up to Face-to-Face“ has been called a “framework,” but privacy groups have called it a “proposal” from the Digital Advertising Alliance (DAA). According to the document, DNT would be off by default. W3C Co-Chair Peter Swire, said, “As the name states, it is a framework for discussion, to help frame a possible agenda for next week’s face-to-face meeting in California.” DAA Counsel Stu Ingis said the document is the result of input from the DAA, consumer groups and other stakeholders. “It’s hard for stuff to happen if there’s no agenda,” said Ingis, adding, “There are a lot of cats to herd.” [AdWeek]

US – CA Lawmaker Proposes DNT Honesty-Checker

California Assemblyman Al Muratsuchi (D-66th District) has proposed a bill requiring website operators to disclose whether their sites honor consumer requests to disable tracking and if they do not allow third-party tracking of site users. Author Mathew Schwartz calls the bill “a rare note of clarity” in the Do-Not-Track (DNT) debates. Industry efforts stalled last November, causing some members of the Senate Commerce Committee to question their commitment to the initiative. Sen. Jay Rockefeller (D-WV) is pushing for legislation that includes DNT, but not everyone agrees this is the best solution. George Mason University Researcher Adam Thierer says working to educate people while “pushing for greater transparency about online data collection practices” is the right course. [Information Week]

WW – Given “Doxing,” Hackers Need Not Apply

Media reports on the practice of “doxing,” or document tracing. Recently, celebrities have been at the practice’s mercy; Microsoft CEO Bill Gates was recently outed online for having an outstanding debt on his credit card, for example. But doxing data isn’t produced via hacking; it’s “either already public or accessible by, for example, paying an online people-finding service to get a Social Security number and then running a credit check,” the report states. Data is also gleaned from social media sites. One human rights advocate says posting online has widespread implications. “There’s nothing you can do in the electronic world that your boss can’t find and you can’t be fired for,” he said. [NBC News]

US – Sen. Rockefeller On Do-Not-Track, Data Brokers

The data marketing trail is often mysterious and one U.S. senator is working to ensure consumers have legal protections to opt out and correct personal information amassed by data brokers and other online third parties. The range of ways companies gather consumer data—from sweepstakes to online surveys—makes it difficult for users to correct errors in their marketing profiles, the report states. Sen. Jay Rockefeller (D-WV), who recently led a contentious hearing on the current status of Do Not Track, said, “People have the right to be private insofar as it’s possible in the modern world,” though he acknowledged that Do-Not-Track legislation does not address the bigger issue of consumer data collection by data brokers. [The New York Times]

WW – Ramirez: Functioning DNT System “Long Overdue”

In a speech to the advertising industry this week, Federal Trade Commission Chairwoman Edith Ramirez impelled the industry to work with the World Wide Web Consortium to develop a browser-based Do-Not-Track standard. Ramirez’s position surprised attendees by implying that the Digital Advertising Alliance’s (DAA) self-regulatory program doesn’t suffice and championing cookie-blocking initiatives by Mozilla and Microsoft. DAA Counsel Stu Ingis reacted saying, “We keep getting demagogued by the FTC…The DAA’s program covers 100% of the advertising ecosystem,” adding, “The problems have been caused by two browser companies.” Sen. John (Jay) Rockefeller (D-WV) is also pushing for Do-Not-Track and has scheduled a hearing on the issue next Wednesday. [AdWeek]

WW – Flaw in Adobe Reader Tracks Documents 

A vulnerability in Adobe Reader could be exploited to track PDF files’ movements. The flaw discloses when and where PDF files are opened and affects all versions of Adobe Reader, including the most recent update (Reader XI 11.0.2). McAfee Labs discovered the flaw and has not provided details because Adobe has not yet released a fix. McAfee also noted that it has detected in-the-wild attacks that exploit the flaw. [ComputerWorld] [] [SCMagazine]

Other Jurisdictions

US – White House Shifts Stance; FBI Driving Wiretap Bill

The Obama administration is changing its position on the path to creating a critical cybersecurity infrastructure from mandatory standards to a more voluntary approach lined with compliance incentives for private companies. White House Cybersecurity Coordinator Michael Daniel said, “This is a huge focus for my office right now—driving forward and staying on track with the executive order.” The National Association of Federal Credit Unions has urged the Senate to consider cybersecurity legislation. The Post also reports on a government task force crafting legislation “that would pressure companies such as Facebook and Google to enable (FBI) officials to intercept online communications as they occur.” The Center for Democracy & Technology’s Greg Nojeim said the bill is a “non-starter” and added, “They might as well call it the Cyber Insecurity and Anti-Employment Act.” [The Washington Post] [Washington Post: Bringing Wiretap Laws Into the Digital Age]

AU – Privacy Week Sees Calls to Prepare for Changes

At the launch of the Office of the Australian Information Commissioner’s (OAIC) Privacy Awareness Week, Privacy Commissioner Timothy Pilgrim and Australian Attorney-General Mark Dreyfus cautioned businesses to prepare for impending privacy reforms. “Now is the time to change existing systems and practices…The sooner these changes are embedded, the easier it will be to comply with the new measures in March 2014,” Dreyfus said. The OAIC has released guidance to help covered entities better protect personal information. While not binding, Pilgrim said the guidelines send a “clear message about my expectations in this area.” A survey commissioned by McAfee found that 59% of employees responsible for managing customers’ personal information were unaware or unsure of the changes. [ZDNet] [Pilgrim: Build privacy into your systems or risk penalties]

Privacy (US)

US – Posner: Privacy Laws Have Little Social Benefit

“There is a tendency to exaggerate the social value of privacy,” writes Judge Richard Posner of the U.S. Court of Appeals for the Seventh Circuit and a senior lecturer with the University of Chicago Law School. Against the backdrop of the Boston Marathon bombings, Posner discusses the balance between privacy and security, asserting that privacy laws don’t “confer social benefits comparable to those of methods of surveillance that are effective against criminal and especially terrorist assaults.” Posner says critics of surveillance ignore deterrence, and while acknowledging issues surrounding government surveillance of digital information, says surveillance technologies are “also used by our enemies. We must keep up.” [New York Daily News]

Privacy Enhancing Technologies (PETs)

US – Start-Up Lets Users Track Who Tracks Them

A start-up based in Palo Alto, Calif., Disconnect, which helps you track who is tracking you online, this week released its latest tool to help safeguard your browsing history. Its new browser extension works on Chrome and Firefox browsers and is meant to block an invisible network of around 2,000 separate tracking companies. The new Disconnect filter is part of an emerging crop of privacy tools aimed at tech-savvy consumers who want to protect personal data online. Most of these companies – Abine and Ghostery are others – offer at least a basic version of their product free and charge for more advanced versions. Disconnect is offering its filter on a sliding scale. [Source


US – Student Attendance Program Raises Concerns

A pilot program in Georgia designed to track children on their way to school using Radio Frequency Identification (RFID) technology is raising concerns among some privacy advocates. The pilot program was announced by East Coast Diversified, a company that specializes in “student transportation and class attendance management systems.” Andrej Jeremic, director of marketing and business development for the company, said, “We don’t track students…We watch for anomalies.” A similar program has been scrutinized in Texas. A representative from the Electronic Privacy Information Center said, “What you’re doing is telling kids it’s normal to be tracked.” [International Business News] SEE ALSO: [RFID Helps Make Marriage Special]

CA – Smartphones Easily Skim Credit Card Information: CBC Investigation

A technology designed to make it easier to pay with your credit card may be putting Canadians at risk of fraud and identity theft, say security experts. Many new credit and debit cards come with chips that allow customers to tap the card to make a purchase. The chips are read by payment machines, used in many retail outlets, and are supposed to be a safe and convenient way to pay for goods. But the chips can also be read with a device millions of Canadians carry with them every day: a smartphone. Using a Samsung Galaxy S3 — one of the most popular smartphones available in Canada — and a free app downloaded from the Google Play store, CBC News was able to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a credit or debit card. The information could be read through wallets, pockets and purses. Google did not comment on the apps used by CBC in its investigation, but said in an email it would remove any app that violated Google’s developer distribution agreement or content policies. However, the apps tested by CBC were still available following Google’s comments. [Source]


US – NIST Releases “Major Revision” of SP 800-53, Emphasizes Privacy

In what the National Institute of Standards and Technology describes as its most significant revision of the U.S. federal government’s foundational computer security guide since it was first released in 2005, eight new families of privacy controls, based on the international accepted Fair Information Practice Principles, have been added. Security and Privacy Controls for Federal Information Systems and Organizations , known generally as SP 800-53, now includes an Appendix J, the Privacy Control Catalog, and the name of the document as a whole now has “privacy” in it for the first time. [NIST]

WW – Study Says Home Routers Vulnerable to Attacks

Many widely used home routers are easy to hack into, according to a study by a company called Independent Security Evaluators. A test found 13 of the most popular home routers had easily remotely exploitable vulnerabilities that could be used to snoop on or modify network traffic. All of the routers tested were using the most recent firmware and were tested with their out-of-the box default configurations. [CNet] [ComputerWorld]

WW – Hit by Security Breach, a company whose business it is to manage its customers’ online reputations, has acknowledged that it suffered a data security breach. The company has sent email notifications to its customers. The compromised information includes names, email and physical addresses, and employment information. Some customers’ encrypted user passwords were compromised as well. The company reset user passwords. Experts note that users should not be reassured by companies’ assertions that salted passwords are unlikely to be cracked. Cracking techniques are improving and salting does not hinder the task of cracking for just one password, so if it’s a particularly valuable password, the time spent cracking it is well spent.  [SC Magazine] [LA Times] [ArsTechnica]

WW – Targeted Cyberattacks Jump 42% in 2012, Symantec Says

Internet users are seeing less spam but more targeted attacks, according to security software company Symantec. Looking at last year’s security landscape, Symantec’s Internet Security Threat Report 2013 found that traditional spam accounted for 69% of all e-mail in 2012, down from 75% in 2011. Yet, 30 billion spam messages are still sent on a daily basis. Junk e-mails that hawk sex or dating products and services now account for 55% of all spam, taking the top spot away from pharmaceutical spam. Malware is also part of one out of every 291 e-mail messages, with 23% of those malware-carrying messages offering links to malicious Web sites. Around 247,350 malware attacks were blocked every day in 2012, according to Symantec, a 30% jump over 2011. Last year also saw a 42% rise in the number of targeted attacks, averaging around 116 per day, triggering a comparable increase in data theft and acts of industrial espionage. Small businesses with fewer than 250 employees were fingered in 31% of those attacks in 2012. Symantec believes smaller businesses are targeted because many of them don’t have the stronger security employed by larger firms. More cybercriminals are using a special type of targeted cyberattack known as a “watering hole attack,” Symantec noted. The attackers infect a Web site that their targeted victims are apt to visit, exposing the victims to malware as soon as they access the site. Mobile malware attacks grew by 58 last year, compared with 2011, according to the report. Apple’s iOS was hit by 387 vulnerabilities, much higher than the 13 recorded for Android. Yet Google’s mobile OS accounts for a greater percentage of treats due to its larger market share, open platform, and multiple app distribution methods, Symantec said. Symantec’s Internet Security Threat Report 2013 captured information from more than 69 million attack sensors across 157 different countries. [Source]


CA – Researcher: Internet of Things Is “Bit of a Wild West”

The growth of Internet-connected devices is known as “the Internet of Things”—washing machines, overhead lights, smart scales and more that can all be controlled by owners’ mobile devices. The Organisation for Economic Co-operation and Development estimates the average household with two teenagers will own around 50 Internet-connected devices by 2022. “The vast majority of the future devices of this type don’t exist today,” says Stephen Prentice of Gartner. “If you can measure it, then someone is going to have a device to do that and someone will find a use for that data.” Prentice cautions that the regulatory environment isn’t keeping pace with technology, saying, “At the moment, it’s a case of buyer beware.” [The Globe and Mail] SEE ALSO: Opinion – The Internet of Things and a Balanced Approach to Regulatory Intervention] and [2012 EU Public Consultation] AND [Indirectly connected to The Internet of Things]

US – Judge Denies FBI Permission to Install Software on Suspect’s Computer

The FBI may not install specialized surveillance software on a suspect’s computer, according to a ruling from a federal magistrate judge. Judge Stephen Smith said that the order requested by the FBI was too broad and too invasive. The FBI had sought permission to install specialized software on a computer used by the suspect; the software “has the capacity to search the computer’s hard drive, random access memory, and other storage media; to activate the computer’s … camera; to generate [location] data for the device; and to transmit the extracted data to FBI agents.” The judge also took the FBI to task for failing to specify how the operation would be certain to target the suspect and no one else. [ArsTechnica] [ComputerWorld]

WW – Technology Aids Investigations, But at What Cost?

In the aftermath of the Boston Marathon bombings, experts are examining the use of video surveillance and analysis to solve crimes. While technological advances and government use of surveillance enables faster identification and tracking of individuals, the debate over how to balance privacy rights with the needs of authorities continues. Some are concerned that data collected for one investigation—or even for an entirely different purpose, like applying for a license—will be retained and used in unrelated investigations. Some European regulators have expressed discomfort with the level of surveillance in the U.S. “Surveillance doesn’t give more security. That’s our experience,” said Schleswig-Holstein Data Protection Commissioner Thilo Weichert. [The Wall Street Journal]

UK – Group Challenges Gov’t Over Spyware Investigation

Human rights group Privacy International has announced it is challenging the British government for unlawful conduct during an investigation into the export of surveillance tool FinFisher. The tool is designed to monitor communications and collect hard drive data and is capable of conducting live surveillance via webcams. Privacy International says Her Majesty’s Revenue and Customs (HMRC) illegally declined to provide information related to its investigation of the technology’s shipment to countries with “poor human rights records.” The group has filed a judicial review application at the High Court in London. If the legal action is successful, “it could set a precedent for other cases in the UK’” [Slate]

US – DOJ Granted Immunity to ISPs Participating in Threat Monitoring Program

According to documents obtained by the Electronic Privacy Information Center (EPIC) through a Freedom of Information Act (FOIA) request, the US Justice Department granted some Internet service providers (ISPs) immunity from prosecution for their participation in a communications monitoring and interception program. The program, originally known as the Defense Industrial Base Cyber Pilot project, was designed to monitor traffic for indicators of cyberthreats and use the information to help protect systems from cyberattacks. Participation was initially limited to certain defense contractors and their ISPs, but has since been expanded to include all sectors of critical infrastructure. The DOJ provided the ISPs with “2511 letters,” granting them immunity for the monitoring activity. [CNet] [WIRED]

US Government Programs

US – Foreign Intelligence Surveillance Court Approved All Requests in 2012

The US Justice Department sent a report to Senator Majority Leader Harry Reid (D-Nevada) detailing certain activity of the Foreign Intelligence Surveillance Court. In 2012, the court approved every request it received to authorize physical searches or surveillance of people within the US “for foreign intelligence purposes.” There were 1,856 requests in all. [WIRED] [WIRED]

US Legislation

US – Rockefeller: Ad Industry ‘Dragging Its Feet’ On Do-Not-Track

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) had blunt words for the online advertising industry at a hearing on Do-Not-Track (DNT) legislation yesterday. “There’s a broad feeling that the advertisers and data brokers are just dragging their feet,” he said, adding, “And I believe they’re doing it purposely.” In his call for DNT legislation, Rockefeller said he doesn’t believe “companies with business models based on the collection and monetization of personal information will voluntarily stop those practices if it negatively impacts their profit margins.” Digital Advertising Alliance Managing Director Lou Mastria said the previous DNT agreement was “short-circuited” by recent privacy decisions by at least two browser-makers. In a column for Wired, W3C Co-Chair Peter Swire warned of a looming “digital arms race“ that could have damaging effects for everyone involved. The solution? “The same way we defuse any other arms race,” Swire wrote, “through negotiation.” [MediaPost]

US – Officials: Privacy Concerns Will Kill CISPA

“The Senate will almost certainly kill a controversial cybersecurity bill, recently passed by the House,” due to privacy concerns, citing a senate committee aide. Senate Committee on Commerce, Science and Transportation Chairman Jay Rockefeller (D-WV) has said the privacy protections in the Cyber Intelligence Sharing and Protection Act (CISPA) are “insufficient,” the report states, noting the White House has also said President Barack Obama will not sign the bill. The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies heard testimony from privacy experts including Mary Ellen Callahan, CIPP/US, and Harriet Pearson, CIPP/US. Meanwhile, the Department of Homeland Security is also preparing to “deploy a more powerful version” of its EINSTEIN intrusion-detection system, but COMPUTERWORLD reports its deep inspection packet technology is raising “serious privacy concerns.” [ZDNet]

US – House Passes CISPA

The U.S. House of Representatives Thursday passed a version of the Cyber Intelligence Sharing Act (CISPA). The bill aims to encourage the sharing of threat data between the government and private sector. President Barack Obama earlier this week threatened to veto CISPA if it did not include stronger privacy protections. CISPA co-sponsor Rep. Mike Rogers (R-MI) said, “Our goal is to get the Senate to pass a bill…We’d love to get a bill in conference.” An amendment proposed by Rep. Alan Grayson (D-FL) that would have required law enforcement to secure a “warrant obtained in accordance with the Fourth Amendment” prior to searching databases for criminal wrong doing was not included in the bill. [The Washington Post] [White House Issues Formal CISPA Veto Threat]

US – Advocates Ask FTC to Not Delay COPPA       

In response to an industry-backed letter asking the Federal Trade Commission (FTC) to postpone implementation of new COPPA rules for six months, privacy groups on Tuesday urged FTC Chairwoman Edith Ramirez not to delay. Signed by 19 privacy groups, including Common Sense Media and the Electronic Privacy Information Center, the letter to Ramirez said the delay is “unwarranted” and would harm children and “undermine the goals of both Congress and the FTC.” COPPA updates are slated to go into effect on July 1. [AdWeek]

US – FTC Releases COPPA FAQs

The Federal Trade Commission (FTC) has issued Frequently Asked Questions (FAQs) to help clarify changes to the Children’s Online Privacy Protection Act (COPPA) that go into effect on July 1. The FAQs cover enforcement, privacy policies and notifications, geolocation data, verifiable parental consent and COPPA in schools, the report states. The FAQ also includes a list of things that covered entities must do, like post a comprehensive privacy policy, provide direct notice to parents and offer parents the ability to prevent further use or collection of their children’s data. [Forbes]

US – Senate Judiciary Passes ECPA Reform

In a unanimous vote, the Senate Judiciary Committee yesterday passed reforms to the Electronic Communications Privacy Act (ECPA). Called the ECPA Amendments Act, the update would require law enforcement to obtain a warrant prior to accessing a user’s private online content. “After years of work on ECPA reform, the time has come for Congress to enact these common-sense privacy reforms,” Sen. Patrick Leahy (D-VT) said. The Center for Democracy & Technology praised the reform. “With the vote today,” CDT Senior Counsel Greg Nojeim wrote, “Congress took a huge step toward finally updating ECPA to ensure e-mails and documents we store in the cloud receive the same Fourth Amendment protections as postal mail and documents we store in desk drawers in our homes.” [The Verge]

US – Sen. Grassley Signals ECPA Reform Support

Sen. Chuck Grassley (R-IA) signaled support for reforms to the Electronic Communications Privacy Act (ECPA). “I would anticipate this year that there wouldn’t be any problem getting (the bill) out at whatever meeting you want to bring it up,” Grassley told Senate Judiciary Chairman Patrick Leahy (D-VT) at a meeting this week. Leahy said he will bring the “e-mail privacy bill” to a vote at the next committee meeting. “I have long believed that our government should obtain a search warrant—issued by a court—before gaining access to privacy communications,” Leahy said. [The Hill]

Workplace Privacy

US – Does HIPAA Prevent Background Check Compliance?

The Office for Civil Rights has issued an advance notice of proposed rulemaking to address concerns that in some states the HIPAA Privacy Rule may prevent states from “reporting the identities of individuals subject to the mental health prohibitor” to the National Instant Criminal Background Check System (NICS). The notice is an effort to get public input on ways to address these barriers, adding, “In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS…” []

US – Wall Street Takes On State Employee Laws

An “unlikely alliance of regulators and industry groups” is seeking to “carve out exemptions” in a slew of proposed state laws barring employers from accessing the social media accounts of employees or applicants. The Financial Industry Regulatory Authority (FINRA) has stated that financial institutions need an avenue to check “red flags” on personal account misuse. The proposed state laws, FINRA argues, could put investors at risk, the report states. FINRA has reached out to lawmakers in approximately 10 states, asking them to include changes to proposed employee privacy legislation. California lawmakers—in whose state the employee privacy law has already gone into effect—”rebuffed requests” by FINRA and other industry groups to include exemptions. Wisconsin is currently considering similar employee legislation. [The Wall Street Journal]

WW – Analyzing Employee Behavior To Inform HR

An emerging field known as workforce science is using Big Data to analyze worker behavior and apply it to human resource management. The field aggregates and analyzes patterns in employees’ digital history as well as personality-based assessments to guide hiring, firing and promotions, raising some questions about worker surveillance, the report states. “The larger problem here is that all these workplace metrics are being collected when you as a worker are essentially behind a one-way mirror,” says Marc Rotenberg of the Electronic Privacy Information Center. [The New York Times] [Additional Reading]


01-15 April 2013


US – EPIC Sues FBI Over NGI Database

The Electronic Privacy Information Center (EPIC) has filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation (FBI) to get access to documents outlining the “Next Generation Identification” (NGI) database. The database contains biometric identifiers—including fingerprints, DNA profiles, iris scans, palm prints and voice identification profiles—of millions of American citizens. The complaint filed by EPIC stated, “When completed, the NGI system will be the largest biometric database in the world.” The FBI plans to use the database to match information with data gleaned from outlets such as CCTV. [EPIC press release]

CH – Swiss Researchers Investigate Unique Breathprints

Swiss researchers have discovered a way to identify humans through their unique breathprints. In a research paper titled, Human Breath Analysis May Support the Existence of Individual Metabolic Phenotypes, researchers conclude that individual signatures of breath composition exist, suitable enough to identify humans. [Source]


CA – Revelations Continue in Student Loan Incident

Information continues to trickle in, revealing the true import of the external hard drive loss that has exposed personal information about 583,000 Canadian student loan borrowers. This week the public has discovered the drive also contained business plans and financial information about the Canada Student Loan program, along with “investigative reports” on applicants whose eligibility was questionable. Privacy Commissioner Jennifer Stoddart continues to investigate the data loss, which also includes a missing USB stick, and that inquiry has grown to include the Department of Justice. [Ottawa Citizen]

CA – Ontario Embraces World-Class Standard of Privacy Protection

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, introduced an information centre designed to further educate and advise members of the Ontario Public Service (OPS) on the best privacy practices, thus ensuring excellence in the protection of personal information. The Privacy by Design Centre of Excellence is a joint project between the Office of Information and Privacy Commissioner and the Ministry of Government Services (MGS). This new centre will further engrain a culture of privacy offered as the default, in all new and existing Ontario government programs. It provides tips and guidance into best practices for privacy protection, as well as educational materials and additional resources. Example materials include white papers and case studies from various sectors including telecommunications, technology, healthcare, transportation, and energy. The centre is a resource for the numerous professionals in the Ontario Public Service responsible for project design, information management, architecture management, and customer service in a broad array of institutions ranging from provincial agencies to municipal boards and commissions, to police service boards, to school boards and many more. [Source]

CA – Nunavut MLAs Meet on Language, Privacy Reports

Regular members of Nunavut’s legislative assembly will hold hearings April 16 to 18 in Iqaluit to discuss the most recent annual reports of the languages commissioner and the privacy commissioner. The MLAs say they want the Government of Nunavut to “publicly account” for its actions to their recommendations and to those of the privacy commissioner’s recommendations “concerning the important issues of access to information and protection of privacy,” said Louis Tapardjuk, standing committee co-chairperson. Recently, the GN responded to privacy commissioner Elaine Keenan Bengts’ 2011-12 annual report, tabled last October in the Nunavut legislature, and some of its concerns. Those included concerns about a surveillance project that gathers health information about all Nunavut mothers and babies from before birth up to age five, which the report found could be highly invasive of personal privacy. In her response, Nunavut Premier Eva Aariak said “the use of personal information for this project did receive the proper authorization.” [Source]


US – State AGs and Facebook Align to Educate Youth

The National Association of Attorneys General (NAAG) and Facebook are launching plans to educate children and their parents about privacy and online safety. NAAG President and Marlyland Attorney General Doug Gansler said, “There are more and more parents now who understand Facebook and how it works and how their children are using it but don’t necessarily understand the privacy settings and how they work.” The partnership will launch several different online tools, including a Facebook page featuring information on privacy settings, best practices and privacy control tips. [ABC News

CA – Canadians Anxious About Privacy In the Face of New Technology: Poll

A significant number of Canadians do not feel they understand the privacy risks posed by new technologies and are not confident in their ability to protect their personal information, a new poll commissioned by the Office of the Privacy Commissioner of Canada suggests. Further, such concerns are affecting consumer choices. The telephone survey of 1,513 residents across Canada found that 56% are not confident that they understand how new technologies affect their privacy, a number that has increased steadily since the year 2000. Seven in ten Canadians also reported feeling that they have less protection of their personal information in their daily lives than they did 10 years ago. The declining lack of confidence reflects a range of concerns Canadians have about sharing their personal information online. Many reported being very concerned about posting information about their location (55%) and contact information (51%). The majority (55%) said they have decided not to install, or have uninstalled, an app because of the amount of personal information they would have to provide, and 68% of Canadians say they have chosen not to use a site or a service because they were uncomfortable with the terms of the privacy policy. The Survey found that while individuals’ concerns about the protection of privacy are high—66% are very concerned, with 25% of them saying they are extremely concerned—they often don’t take advantage of privacy protection options or information. For example, half of Canadians rarely or never consult online privacy policies and 54% do not take steps to limit tracking of their Internet activities. Other findings from the survey include:

  • 71% think protecting the personal information of Canadians will be one of the most important issues facing our country in the next 10 years.
  • 21% of Canadians think the federal government takes its responsibility to protect personal information seriously while only 13% feel businesses are serious about this responsibility.
  • 60% have asked an organization for an explanation of how it will use their information.
  • 97% would want to be notified by an organization if their personal information was compromised.
  • 73% who use the Internet are concerned about companies using their information to send them spam.
  • 81% think it is very important that websites actively inform them about what kinds of personal information they are collecting and how they use it.[Source]

US – Acxiom to Unveil Transparency Service

Consumer data broker Acxiom plans to introduce a service allowing consumers to access data collected about them. In recent months, the U.S. FTC has placed the data broker industry under the microscope. Acxiom Chief Marketing and Strategy Officer Tim Suther said, “We live in an era when transparency is important,” adding, “We’re listening to that and trying to be even more transparent with people who are interested in understanding what companies like Acxiom do with information.” The company said the service may be available later this year, but it is working on identity theft protection and other logistical obstacles. [Financial Times]

WW – Why Consumer Privacy Decisions Aren’t Always Rational

The New York Times profiles the work of Carnegie Mellon behavioral economist Alessandro Acquisti. Acquisti’s research “has shown that despite how much we say we value our privacy—and we do, again and again—we tend to act inconsistently,” the report states. Policy-makers, his research has proposed, should learn more about how consumers actually behave because, as consumers, “we don’t always act in our own best interest”—suggesting that user control can sometimes be an illusion. Samford University Prof. Woodrow Hartzog said, “His work has gone a long way in trying to help us figure out how irrational we are in privacy-related decisions,” adding, “We have too much confidence in our ability to make decisions.” [New York Times]

WS – Samoa Air Introduces ‘Pay-As-You-Weigh’ Fare Policy

Samoa Air has become the first airline in the world to charge passengers by weight. Instead of a flat rate per seat, the airline will charge passengers a fixed price per kilogram, with the price varying depending on the route. The pay-as-you-weigh system was announced on the airline’s website. “We at Samoa Air are keeping airfares fair, by charging our passengers only for what they weigh. You are the master of your Air ‘fair’, you decide how much (or little) your ticket will cost. “No more exorbitant excess baggage fees, or being charged for baggage you may not carry. Your weight plus your baggage items, is what you pay for. Simple.” The airline posted the news on its Facebook page, getting mixed reaction. [Source]


US – Opinion: Increased Gov’t Data Sharing Mandates Increased Oversight

While it may be a “natural application of Big Data” for government agencies to search already collected information about U.S. citizens for suspicious patterns of behavior, Alex Howard, writing for O’Reilly Radar, says the expanded rules on government data sharing that went into effect last year are concerning. First reported by Julia Angwin at The Wall Street Journal, these new database search powers, Howard argues, are unlikely to be sufficiently checked by the privacy professionals who were bowled over when they objected to them in the first place. [O’Reilly Radar]

US – Report: Law Poses Security Risks, Could Violate Privacy

A report by the National Academy of Public Administration (NAPA) says a law requiring the personal financial information of 28,000 federal workers to be posted online poses a national security risk and could violate privacy. The STOCK Act requires the data be available online by April 15 for public searching, sorting and downloading. NAPA concludes that transparency “does not necessarily equate to unrestricted accessibility when it comes to thousands of federal employees’ sensitive financial information,” and “considerations must be made for balancing transparency and privacy needs appropriately and in a way that does not expose federal employees to unnecessary risk.” [USA TODAY]


US – IRS Claims It Can Read Your E-Mail Without A Warrant

According to Internal Revenue Service (IRS) documents obtained by the ACLU, Americans have “generally no privacy” in their e-mail and social media communications. A 2009 IRS handbook obtained by the ACLU says, “e-mails and other transmissions generally lose their reasonable expectation of privacy and thus their Fourth Amendment protection once they have been sent from an individual’s computer.” An ACLU spokesman said the IRS “should formally amend its policies” to require a warrant prior to accessing e-communications. There has been growing consensus of late to update the Electronic Communications Privacy Act to require warrants by law enforcement prior to accessing electronic communications. [CNET News] UPDATE: [IRS Refutes Breach of Privacy Claims]

US – After Searches, Harvard Orders E-Mail Policy Review

In the wake of a “secret search“ of e-mail accounts belonging to 16 of the university’s deans, Harvard President Drew Faust has ordered a review of e-mail privacy policies, describing the inconsistency across the university “highly inadequate.” Calling the lack of e-mail privacy policies an “institutional failure,” Faust plans to form a task force to develop recommendations on e-mail guidelines. Faust has also asked an independent attorney to investigate the e-mail searches “and to verify that the information provided so far is a full and accurate description of what actually happened,” the report states. [COMPUTERWORLD]

Electronic Records

WW – The Potentials and Risks of Data Science

Columbia University’s new Institute for Data Sciences and Engineering emphasizes the importance of educating a broader swath of society. Google Chief Information Officer Ben Fried expressed concern that “the technology is way ahead of society” and warned against only having an intellectual elite who understand the implications of Big Data—a situation that could cause “a runaway technology or a public rejection.” Fried added, “I think it is a mistake if conversations about this technology leave out the humanities.” Meanwhile, one consulting firm notes that Big Data could save U.S. citizens as much as $450 billion in healthcare costs. [The New York Times]

EU Developments

EU – WP29: Consent “Almost Always” Required

A new opinion issued by the Article 29 Working Party (WP) states that “free, specific, informed and unambiguous ‘opt-in’ consent” is almost always necessary when organizations want to use previously collected personal data in Big Data projects. The exception may be Big Data projects that involve detecting “trends and correlations.” The WP also said businesses should provide consumers with access to their “profiles,” knowledge of the underlying logic of how the profiles were created and allow consumers to correct and share the information in them. The opinion includes a four-factor criterion to help determine whether businesses’ processing activities are compatible with the purposes for which the data was first collected. []

EU – Europe Launches Controversial Crime-Fighting Database

The Schengen Information System II (SIS II), after substantial delays, has launched. SIS II is a centralized database that aims to help security officials exchange information more quickly and efficiently within the Schengen zone, where people can move freely. “It’s important for member states to exchange data among one another more closely and join forces in fighting crime—as a counterbalance to the absence of border controls,” said a spokesman for Germany’s Federal Ministry of the Interior. But privacy authorities including Germany’s Federal Commissioner for Data Protection and Freedom of Information Peter Schaar have taken issue with the centralization of such data, and have called for uniform standards across Europe on how the data can be used and who has access. [Deutsche Welle]

EU – Reding and Holder Discuss Online Privacy Protection

EU Justice Commissioner Viviane Reding met with U.S. Attorney General Eric Holder to discuss a range of issues including data protection initiatives and other collaborative efforts between the European Commission (EC) and the U.S. Justice Department. Among more specific topics, the officials discussed online protections for children and ongoing data-sharing efforts. According to an EC press release, “Each noted recent progress made, and both sides were optimistic in reiterating their determination to finalize negotiations as rapidly as possible.” Meanwhile, the UK government is not backing efforts within the proposed EU data protection regulation to instill a “right to be forgotten.” [The Guardian]

EU – Euro Task Force Initiates Enforcement Measures Against Google

A taskforce of data protection agencies has begun follow-up measures against Google after the company failed to fix flaws in a new privacy policy. The taskforce is led by France’s data protection authority, the CNIL, and includes authorities from the UK, Germany, Italy, Spain and The Netherlands. The CNIL says it has notified Google of the inspection’s initiation, which follows a March 19 meeting between the company and the regulators that ended in deadlock. “The authorities’ goal is not to fine Google,” said a CNIL spokeswoman. “The goal is for Google to be in line with what we demand.” Meanwhile, the company’s forthcoming “Google Glass” is raising privacy concerns in the U.S. [CNIL] [CNET: Europe continues privacy tussle with Google]

UK – ICO Performance Report Is “Mixed Bag”

A recent report by the Commons Justice Select Committee on the performance of the Information Commissioner’s Office (ICO) includes both supportive and troubling news for the agency. The committee backed the ICO’s intention to place NHS bodies and local authorities under compulsory audits. The article suggests the ICO’s view of the committee’s report was accurate when the ICO said, “the picture that emerges (of the ICO) is of a regulator that is delivering, that is relevant and that is efficient” but cautions the ICO also faces funding issues and is “running out of road and cannot absorb further cuts to the FOI budget without adversely affecting performance.” [Mondaq]

Facts & Stats

WW – Opinion: Top Five Threats of 2013

Ccolumnist Melissa Riofrio lays out the top five online privacy threats in 2013, including the proliferation of cookies, law enforcement’s seizure of cloud data, the ease of locating users by their smartphones, facial recognition software and looming government concerns about cybersecurity. “This year’s online threats to privacy will continue to grow unless Congress and other decision-making bodies offer some meaningful support for privacy,” Riofrio writes, adding, “it all boils down to a matter of openness versus secrecy.” [PCWorld]


WW – Secret Files Expose Offshore’s Global Impact

A cache of 2.5 million files has cracked open the secrets of more than 120,000 offshore companies and trusts, exposing hidden dealings of politicians, con men and the mega-rich the world over. The secret records obtained by the International Consortium of Investigative Journalists lay bare the names behind covert companies and private trusts in the British Virgin Islands, the Cook Islands and other offshore hideaways. They include American doctors and dentists and middle-class Greek villagers as well as families and associates of long-time despots, Wall Street swindlers, Eastern European and Indonesian billionaires, Russian corporate executives, international arms dealers and a sham-director-fronted company that the European Union has labeled as a cog in Iran’s nuclear-development program. The leaked files provide facts and figures — cash transfers, incorporation dates, links between companies and individuals — that illustrate how offshore financial secrecy has spread aggressively around the globe, allowing the wealthy and the well-connected to dodge taxes and fueling corruption and economic woes in rich and poor nations alike. The records detail the offshore holdings of people and companies in more than 170 countries and territories. The hoard of documents represents the biggest stockpile of inside information about the offshore system ever obtained by a media organization. The total size of the files, measured in gigabytes, is more than 160 times larger than the leak of U.S. State Department documents by Wikileaks in 2010. To analyze the documents, ICIJ collaborated with reporters from The Guardian and the BBC in the U.K., Le Monde in France, Süddeutsche Zeitung and Norddeutscher Rundfunk in Germany, The Washington Post, the Canadian Broadcasting Corporation (CBC) and 31 other media partners around the world. Eighty-six journalists from 46 countries used high-tech data crunching and shoe-leather reporting to sift through emails, account ledgers and other files covering nearly 30 years.  [Huffington Post]

US – FTC Sends FCRA Warning Letters to Six Companies

The Federal Trade Commission (FTC) has sent letters to six companies warning them to “double-check” their Fair Credit Reporting Act (FCRA) responsibilities. The selected companies specifically collect information about the rental histories of tenants and share the data with potential landlords, the FTC press release states. “If you assemble or evaluate information on individuals’ rental histories,” the release states, “and provide this information to landlords so that they can screen tenants, you are a consumer reporting agency that is required to comply” with FCRA [FTC]


US – Industry Pushes Back on State’s Right to Know Act

There is an industry backlash against California’s proposed “Right To Know Act.” If the bill passes, it would require companies to disclose their data-use practices to California consumers upon request. A coalition of businesses and trade groups—including the Internet Alliance, TechNet and TechAmerica—have written to the bill’s sponsor, Assemblywoman Bonnie Lowenthal (D-Long Beach), urging that she “not move forward” with the bill, citing its “costly and unrealistic mandates.” Nicole Ozer of the ACLU—which co-sponsored the bill—said there is “real impact for individuals when they don’t know how their information is being collected and when it is being shared in ways they don’t want.” [The Wall Street Journal] [CSO Online] [CNET]


US – DNA Project Aims to Make Public a Company’s Data on Cancer Genes

The New York Times reports on a privately owned database containing information on DNA mutations that increase cancer risk and a corresponding grassroots project aimed at making that data public. Owned, built and kept private by Myriad Genetics, the database contains millions of tests on genetic mutations—data to which several researchers want access. The project, Sharing Clinical Reports , asks cancer clinics and doctors around the country to share all Myriad data they have from patient tests, and, according to the report, none of the data contains patient identifiers. On Monday, the Supreme Court will also hear a case that may determine whether two patents of genes owned by Myriad are legal. [NYT]


WW – Google Adds Cookie Notification to EU Search

Google has added cookie notification language on its search and results pages to users in the EU. The company has also reportedly switched from using the Digital Advertising Alliance icon to its own “i” icon information. AdWeek reports on the implications of third-party cookie blocking for large and small businesses. “In a cookieless world, publishers with business models that naturally collect strong names and addresses and other personally identifiable information (PII) are going to be able to…connect to CRM databases,” an Acxiom representative said, adding, “For publishers that have a weak PII story, they’ve been more heavily reliant on the cookie world.” [AdWeek]

WW – Google Privacy Chief Stepping Down

Google’s first director of privacy plans to retire. Alma Witten, named director of privacy in 2010 following controversy over Google’s Street View and Buzz services, was tasked with overseeing product development at the company to prevent against future privacy mishaps. She led the privacy team that saw the merging of Google’s 70-plus privacy policies into one. Whitten will be replaced by Google engineer Lawrence You, who will now take over a privacy team consisting of several hundred individuals. [Forbes]

WW – Google Rolls Out New Inactive Account Manager

Google announced a new service it’s calling Inactive Account Manager. What it essentially allows is for customers to designate “trusted contacts” to receive their Google data in the event of their death or inability to access their Google products. It also, however, allows users to decide to have their information deleted automatically following a specified period—three, six, nine or 12 months—of inactivity. Kashmir Hill notes in Forbes that some have already taken to calling the service “Google Death Manager” and wonders how you’ll use it. [Google Blog]

Health / Medical

US – Court: HIPAA Trumps Florida Disclosure Law

The 11th U.S. Circuit Court of Appeals has ruled unanimously that a federal law requiring licensed nursing homes to disclose deceased residents’ medical records only to a designated “personal representative” trumps a Florida state law allowing disclosure to individuals including spouses, guardians, surrogates or attorneys who request them. Judge Susan Black wrote in the court’s decision: “The unadorned text of the state statute authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident’s stead.” [The Miami Herald]

US – Company Stores Doctors’ Records, Serves Patients Ads

A US company is offering doctors cloud-based electronic medical records software. Practice Fusion stores health data for 150,000 providers on 690 million patients. Its primary business is putting advertisements on those records via its relationships with testing and pharmaceutical companies. Ads are targeted to customers based on their medical records. Patient names and other identifiable information are not shared with advertisers, however. [The New York Times]

US – Groups Develop Trust Framework

The Texas-based Patient Privacy Rights Foundation, along with Microsoft and PricewaterhouseCoopers, has developed a “trust framework” for health IT systems. The framework includes 75 criteria based on 15 privacy principles to enable “objective measurement of how well health IT, platforms, applications, electronic systems and research projects protect data privacy and ensure patient control over the collection, use and disclosure of their health data,” the Patient Privacy Rights Foundation noted. The principles include elements available under current state and federal laws, the report states, as well as provisions indicating individuals should “decide who can access information” and “how and if sensitive information is shared.” [ModernHealthcare]

Horror Stories

WW – A Roundup of Recent Breaches

Following two recent breaches in Utah, one affecting 780,000 individuals, the state is taking steps to prevent future incidents. The health department is creating a data security office, and the governor recently signed a law that will see the implementation of security and privacy best practices there and in other government departments. In California, Kirkwood Community College officials say hackers accessed a database containing applicants’ names, Social Security numbers and other personal information. And the VA medical center has alerted 7,405 patients of a breach involving an unprotected laptop containing their personal information. [GovInfoSecurity]

US – Potentially Massive Class-Action Moves Forward

A federal court has granted class-action status to a lawsuit claiming online tracking firm comScore secretly collected and sold Social Security numbers and credit card numbers as well as passwords and other personal data from consumer systems. The lawyer representing the two plaintiffs said this could be the largest privacy case to go to trial by way of class size and potential damages, the report states. ComScore says it captures approximately 1.5 trillion user interactions monthly—or nearly 40% of Internet page views. [COMPUTERWORLD]

US – Hannaford Breach Class-Action Decision

U.S. District Court Judge Brock Hornby has denied a plaintiff’s motion to certify a class action seeking damages stemming from a data breach at Hannaford Bros. The March 20 decision by Hornby noted that proving damages “required highly individualized determinations that could not be tried through proof common to the class as a whole,” and the article states that the “Hannaford case illustrates how damages issues, even in cases articulating a viable common damages theory, can still frustrate class certification.” Though Hornby denied an argument that a voluntary refund program offered by the company “provides a defense against class certification, such programs still provide a way to mitigate class damages, reduce potential overall exposure and retain customer goodwill.” [National Law Review]

US – Breach Roundup; Supreme Court Upholds Strict Harm Requirements

Oregon Health and Science University has sent data breach notification letters to 4,022 patients following the theft of a surgeon’s unencrypted laptop. The University of Mississippi Medical Center reports a password-protected laptop containing personal information on adult patients has gone missing, and Utah’s Granger Medical Clinic has notified patients of a potential breach after 2,600 medical appointment records scheduled to be shredded went missing. Meanwhile, Wilson Elser attorneys report on the recent Supreme Court ruling that upheld requirements for plaintiffs to prove harm that is “certainly impending” in order to have standing to sue in privacy cases. [HealthITSecurity]

US – GSA Reports Breach; VA Holds BYOD Plans

The U.S. General Services Administration recently alerted users of its System for Award Management that personal information was exposed due to a security vulnerability. The notice said registrants using Social Security numbers as identifiers may be at greater risk for identity theft. Meanwhile, InformationWeek reports the Department of Veterans Affairs has put on hold plans to allow employees to use their own mobile devices for work purposes. The department said it must resolve legal issues on confiscation and investigation of such devices before moving forward. [CNET News]

Identity Issues

US – Actress Loses Privacy Lawsuit Against

A jury has rejected claims by an actress that IMDb violated its own privacy policy by disclosing her date of birth. “It’s not known why the jury rejected actress June Hoang’s claim,” the report states. “But the trial did make at least one thing very clear: Lying about your age isn’t easy in the era of Big Data.” Hoang sued in 2011, alleging the company violated its privacy policy by allegedly accessing her credit card datawhich was supposed to remain confidential. countered that the “fine print in its privacy policy gave it cover,” the report states. [Source]

WW – Mozilla Brands Persona as Password Killer

Mozilla’s Web site log-in alternative known as Persona unveiled a Beta 2 version. Now you can sign in to any Web site supporting Persona using a Yahoo Mail account. Persona, which is still in development, is an open authentication system that works on desktops and mobile devices. In addition to being able to log in using either your Persona ID or your Yahoo credentials, today’s release introduces support for Firefox OS, which means you can expect to use Persona to log in to any Firefox OS devices that launch later this year. It also includes back-end changes that make the log-in system work twice as fast as before, Mozilla says. The company boldly claims that Persona will also be a “password killer.” “Facebook and Twitter sign-in conflate the act of signing into a Web site with sharing access to your social network, and often granting the site permission to publish on your behalf. Sometimes this is what a user wants, but far too often it’s absolutely not,” said Lloyd Hilaiel, the technical lead for the project, in a post explaining Persona Beta 2. [Source]

US – Court Rejects 1st Amendment Balancing Test for Online Anonymous Speech

A Michigan appellate court ruled last week that state discovery rules provide adequate safeguards for anonymous online speech. The opinion is a significant deviation from the rulings of other state courts, which have applied a First Amendment balancing test to determine whether to grant discovery requests for the identities of anonymous online speakers. [Source]

CA – Feds Launched Wide-Scale Search in Hunt for Lost Student-Loans Data

The disappearance of an external hard drive in November triggered a sweeping search at the Human Resources and Skills Development Canada building where it was last seen, with cubicles swept, folders checked one-by-one, and cabinets moved around to leave no nook unchecked. Similar looking hard drives were collected and scanned to see if they contained personal information on 583,000 student loan borrowers, but the missing drive couldn’t be located. The details are contained in emails and a security report about the loss of personal information, including names, addresses and social insurance numbers of Canada Student Loan recipients. The hard drive was used to back up information about the loan recipients, including HRSDC investigation reports, but wasn’t encrypted or password protected, a violation of federal policies on information management. As well, the security report notes the drive was stored in a secure cabinet that was not locked all the time — another violation of federal policies. “Two employees had access to the cabinet…the cabinet was not locked 100 per cent of the time,” reads the security report, filed on Nov. 29, 2012. The documents were released to Postmedia News under access to information law. [Source]

Internet / WWW

US – DHS Warns Personal Data on Public Websites Used in Phishing Attacks

The US Department of Homeland Security (DHS) is warning organizations not to post business and personal information on publicly accessible web pages because the data could be exploited in spear phishing attacks. The alert grew out of an incident last fall in which spear phishing campaigns targeted energy sector organizations. The attacks used information from a list of conference attendees that included names, email addresses, and organizational affiliation, that had been posted on a public website. [COMPUTERWORLD]

WW – Hackers Steal Passwords from Scribd User Database

Document-sharing website Scribd says that hackers compromised as many as one million user passwords. The data were stored with an old hashing algorithm. A Scribd software engineer said that no accounts had been compromised. The company has contacted affected users and instructed them about how to change their passwords and make them more secure. [ZDnet] [NBC News]

WW – Privacy Focus Remains in Microsoft’s Ad Campaign

The third phase of Microsoft’s marketing campaign targeting Google’s privacy practices suggests Google is “more interested in increasing profits and power than protecting people’s privacy and providing unbiased search results.” The story suggests the ads, which one observer calls typical of an industry underdog, ”say as much about the dramatic shift in the technology industry’s competitive landscape as they do about the animosity between the two rivals.” The new “Scroogled” ads, which began this week, criticize Google for sharing personal information gathered about purchasers of apps “designed to run on smartphones and tablet computers powered by Google’s Android software,” the report states. [The Boston Globe]

WW – EBay To Open Data to Marketers

EBay will now allow advertisers access to data on what products a consumer has bought in order to send targeted ads. The company has used such data to promote products to users, but it will now commercialize “that capability for the benefit of other marketers who want to reach shoppers,” said an eBay spokesman. “That’s something new this year.” But eBay risks alarming consumers who might have been okay with eBay showing them related products but who “expect eBay not to tell anybody else who they are.” [AdWeek]

Law Enforcement

US – Court Case Reveals FBI Stingray Details

Details of how the FBI uses cellphone surveillance technology have been revealed in a court case involving a suspected identity theft ringleader. Court documents note that Verizon reprogrammed the suspect’s air card to respond to silent incoming calls from the FBI causing the device to disclose its location. The government did not dispute the claims during a March 28 hearing in a U.S. District Court in Arizona. Electronic Frontier Foundation Staff Attorney Hanni Fakhoury said, “It shows you just how crazy the technology is…This is more than just (saying to Verizon) give us some records…This is reconfiguring and changing the characteristics of the (suspect’s) property, without informing the judge what’s going on.” [WIRED]

US – Google Fights U.S. National Security Probe Data Demand

Just a few weeks after U.S. District Judge Susan Illston created a bit of legal limbo around the U.S. federal government’s so-called National Security Letters (NSLs) by declaring them unconstitutional and putting her ruling on hold to allow for appeal, Google has stepped into the breach by refusing to comply with an FBI-issued NSL. According to a Bloomberg report, Google has challenged a demand by the FBI for private user information in what the Electronic Frontier Foundation believes is the first time a “major communications company” has decided not to comply with an NSL. Google outlines its policy toward NSLs here . The law allows judges to set aside requests by the FBI if they are “unreasonable, oppressive or otherwise unlawful.” [Bloomberg]

US – FAA to Host Online Drone Privacy Session

The Federal Aviation Administration (FAA) will host an “online public engagement session” on Wednesday to allow the public to express privacy concerns stemming from domestic use of drones. The FAA is seeking specific comments on a privacy protocol that would be implemented at its six drone testing sites. Public comments “are not intended to predetermine the long-term policy and regulatory framework under which commercial (drones) would operate,” the FAA has said, adding, “Rather, they aim to assure maximum transparency of privacy policies.” [The Washington Times]

US – Fed Appeals Court Restricts Phone Searches

The U.S. Court of Appeals for the Sixth Circuit has ruled that a school may not search a student’s phone, even if the student has a history of troubled behavior. G.C. v. Owensboro Public Schools also more specifically defined under what circumstances a student’s phone may be searched, and, according to the report, it is one of the “more significant rulings on student privacy rights.” [The Wall Street Journal]


EU – Studies Say Mobile Apps View Too Much Data

France’s data protection authority, the CNIL, says mobile phone apps are accessing and processing an unnecessary amount of private data. The CNIL studied 189 apps on six smartphones. The aim was to analyze the nature of the apps, not to put blame on app developers, CNIL President Isabelle Falque-Pierrotin said. Meanwhile, security researchers at a Romanian-based firm are warning that mobile apps are becoming increasingly intrusive. Nearly 13% of apps disclose user phone numbers without the user’s consent. [PCWorld]

Online Privacy

PL – New Cookie Rules Make Opt-Out OK with Proper Info

According to SSW privacy lawyer Joanna Tomaszewska, changes to Poland’s telecoms laws mean a “very strict information duty” requiring website operators to inform consumers of cookie use and ways they can alter their cookie settings; however, if properly informed users do not change default settings, inaction will constitute “explicit consent.” The Office of Electronic Communications (OEC) has also been given the power to issue financial penalties of up to three percent of the previous year’s profits to companies that breach the rule. While noting that “it is too early to know how the OEC will impose penalties,” Tomaszewska said it is “rather unlikely” the OEC will levy a fine amounting to three percent of annual profits. [Out-Law]

US – Franken: Company’s Opt-Out Tracking Unsatisfactory

Sen. Al Franken (D-MN) has said that the opt-out policy used by Euclid Analytics is unsatisfactory because it requires consumers to go to the company’s website instead of asking consumers for permission. Franken sent Euclid a letter last month looking for more information about its privacy practices and on Monday released the organization’s response . “I am pleased that privacy is a priority for Euclid,” Franken said, “but their continued use of opt-out technology underscores the need for Congressional action to protect consumer location privacy.” Euclid CEO Will Smith said the company does not collect personal information, only provides metrics to its retailer clients and does “not have any plans to sell, rent or disclose” its data to any third parties. [The Hill]

AU – Report: Law Would Put Small ISPs at Disadvantage

Proposed data retention legislation may have impacts on small Internet service providers (ISPs). While the comments had not been made public previously, the government was cautioned a year ago by a Department of Broadband Communications and the Digital Economy adviser that small ISPs “faced the heaviest financial burden under data retention laws being sought by law enforcement bodies,” the report states. The proposed legislation is the subject of an inquiry by the Joint Parliamentary Committee on Intelligence and Security. Law enforcement officials have said they are not attempting to extend their powers, but advocates caution the laws are “too intrusive on privacy of innocent civilians,” the report states. [Australian IT]

Other Jurisdictions

US – Gov’t Report: IRS PIAs Need Improvement

A government report has revealed that the U.S. Internal Revenue Service (IRS) has not yet installed appropriate processes ensuring Privacy Impact Assessments (PIAs) are executed in a timely manner. The Treasury Inspector General for Tax Administration (TIGTA) report made a total of 11 recommendations to the IRS. The IRS agreed with nine of the recommendations but noted it has already implemented two of them, the report states. TIGTA Inspector General J. Russell George said, “The privacy of taxpayer information is essential to taxpayer confidence in the fairness and integrity of the American system of tax administration,” adding, “It is imperative that the IRS adopt our recommendations to ensure the effectiveness of this important initiative.” [Accounting Today]

MX – Mandatory Notice Guidelines to Go Into Effect

Littler Mendelson’s Javiera Medina Reza outlines Mexico’s new Privacy Notice Guidelines, which go into effect April 17. The mandatory guidelines bring requirements for data privacy notices and obtaining consent prior to collecting personal data in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties , enacted in 2010. The Federal Institute for Access to Information and Data Protection (IFAI) may impose sanctions for noncompliance, and Reza writes that a recent IFAI decision leading to a fine of more than $162,000 for a company’s failure to fix problems with its privacy notice underscores the importance of complying with the guidelines. [Mondaq]

HK – PCPD Condemns Deceitful Octopus Card Marketing Practices

The Office of Privacy Commissioner for Personal Data (PCPD) has found that an insurance broker and a body-check service obtained personal information through deceitful means for direct marketing purposes. After receiving complaints from consumers, the PCPD investigated the companies and found that Hong Kong Preventive Association Limited had collected personal data from about 360,000 people under false pretenses, which it then sold to Aegon Direct for direct marketing. Privacy Commissioner Allan Chiang Yam-wang said while he hoped Octopus’s contraventions would serve as a “wake-up call…in many recent investigation cases, including this one, it was found that the data users still fell short of meeting customer expectations and compliance with the requirements of the ordinance.” [The Standard]

AU – Company to Launch Data Breach Insurance

Australian insurer Beazley Group plans to roll out data breach insurance in Australia at the end of this year. “There is certainly growing interest in this sector,” said Beazley Chief Executive Andrew Horton, noting data breach notification laws could get tougher. He added that data breaches happen in forms other than cyber threats, including when data is simply lost when a business moves from one location to another. The company launched the product in the U.S. five years ago and in the UK earlier this year. [Australian Financial Review]

AU – Advertisers Face Privacy Timebomb, Warns ADMA

Advertisers and agencies do not understand the significant fines they face under major new changes to the Privacy Act set to take force within the next 12 months, says the Association of Data Driven Marketing and Advertising. The organisation said there is still little industry focus on how the changes will impact advertiser interactions with consumers with breaches due to attract major fines of up to $1.1m. The association argues the changes will dramatically impact on both agencies and advertisers, especially those marketing online using demand-side platforms and social media. Technology driven by demand-side platforms is allowing online advertisers to be increasingly sophisticated about how they target messages at users based on individuals’ browsing behaviour. Under the new laws, which begin in March 2014, this definition will broaden so that any information which identifies an individual, regardless of whether their name is included, will be classed as personal information and subject to the new regime. One group of marketers who are likely to be impacted by the changes is the not-for-profit organisations which may lack resources when it comes to legal compliance but generate funding through interactions with the public. [Source]

SL – Commissioner Challenges New Data Law as Unconstitutional

Andrej Tomsic, deputy information commissioner for the Republic of Slovenia, writes for EDRi-gram that his boss, Commissioner Natasa Pirc Musar, challenged on March 19 the national implementation of the Act on Electronic Communications before the Constitutional Court. Musar believes the new data retention provisions, which were enacted January 15, “do not respect the principle of proportionality and that they have been transposed into the national law in contrast with the provisions of the Data Retention Directive 2006/24/EC.” This will broaden data retention to all criminal offenses and anything in the “interests of the state,” along with civil litigations and labor law disputes. Musar hopes to have enforcement of the act suspended and the new provisions declared unconstitutional, which could take as much as a year. [EDRI]

SA – Bill Aims to Protect South Africans from Prying Eyes

Amid the vocal protest and fury over the “secrecy bill” another protection of information bill has been crafted to protect South Africans from identity theft and unwanted electronic marketing. The Protection of Personal Information Bill has been a number of years in the making in Parliament’s justice committee. It has been approved by the National Assembly and awaits processing by the National Council of Provinces. The bill seeks to create a regime by which institutions such as banks, insurance companies and other businesses must manage the personal information of their clients. A key provision is the removal of the so-called negative approval under which electronic marketers operate. At present they can send SMSses and e-mails requiring the individual to “opt out” for the unwanted messages to stop. The new provision will allow one message to be sent and if the recipient does not respond positively they may not send another.[Source]

Privacy (US)

US – IAB Asks FTC for Delay on New COPPA Implementation

Changes to the privacy rules within the Children’s Online Privacy Protection Act (COPPA), slated to be published by the FTC in the form of FAQs “sometime this month,” have prompted an industry advertising group to ask the FTC for a six-month delay on implementation. “It’s a complete makeover and that will take time,” said Interactive Advertising Bureau Senior VP and General Counsel Mike Zaneis, adding, “They’ll need time to determine if they can bear the burden of a strict liability regime or convert to a pay-for-content model.” Morrison Foerster Partner D. Reed Freeman, Jr., noted the changes are “a market-altering event…It won’t be the end of the world, but there will be a lot of fallout first.” [Source]

US – SCOTUS Refuses E-mail Privacy Case; Senate to Take Up ECPA Reform

The Supreme Court has declined to hear a case that could test the boundaries of federal protection of e-mail privacy. An appeal in Jenning v. Broome asked the court to resolve differing lower court rulings by a California appeals court and the South Carolina Supreme Court. Meanwhile, the U.S. Senate is prepared to mark up legislation that would mandate police obtain warrants prior to searching citizens’ e-mails, The Hill reports . Bill co-sponsor Sen. Patrick Leahy (D-VT) said, “Safeguarding Americans’ privacy rights is not a Democratic issue or a Republican issue—it is something that is important to all Americans, regardless of political party or ideology.” [Christian Science Monitor]

US – FTC Chairwoman Releases 2013 Annual Highlights

Newly appointed Federal Trade Commission (FTC) Chairwoman Edith Ramirez released the agency’s 2013 Annual Highlights, calling attention to several of its initiatives including protecting consumer privacy, challenging deceptive advertising and safeguarding children online. Ramirez said, “As we head into our second century, the FTC is dedicated to advancing consumer interests while encouraging innovation and competition in our dynamic economy.” [Source]

US – FTC Approves Computer Spying Final Order

The Federal Trade Commission (FTC) has approved nine final orders settling charges against seven companies and a software design firm, including two principles accused of using the software and computers to spy on customers. According to the FTC press release, “the respondents will be prohibited from using monitoring software and banned from using deceptive methods to gather information from consumers.” The settlements will also require the companies to get consent from users prior to using geophysical location tracking and to maintain records for the next 20 years to enable the FTC to assess compliance. [FTC]

US – Supreme Court Asked To Hear NebuAd Case

Two subscribers of Internet service provider (ISP) Embarq have asked the Supreme Court to determine whether the company violated existing privacy law when it partnered with NebuAd. Embarq was one of six ISPs that used NebuAd’s behavioral targeting services in 2007 and 2008, but some consumers have claimed the partnership violated federal wiretap laws. In a petition to the Supreme Court, two former Embarq subscribers wrote, “The present case illustrates the significant harm to societal interests in communications privacy if an ISP is considered to be permitted, in the ordinary course of its business, to sell its customers’ private communications to the highest bidder.” [MediaPost News]

Privacy Enhancing Technologies (PETs)

WW – Product Stops Third-Party Tracking

A California start-up’s product allows individuals to view which companies are tracking them online. The browser extension, Disconnect, aims to help users safeguard browsing history. First-party trackers are still permitted to follow a user, but the data won’t be shared with third-party websites, and ads won’t be served based on such data. “We are stopping that flow of data as you bounce around the web,” said the company’s co-founder. “Third-party retargeters are not going to have information about you.” The filters are distinct from Do-Not-Track signals. [NYT]

WW – Tech Firms Unveil Ad-Blocking Tools

Two tech companies have started offering ad-blocking tools for mobile users. Evidon is delivering the Ad Choices icon and the opt-out system for users, while TRUSTe has upgraded its real-time bidding system so that advertisers know prior to bidding that the user cannot be targeted for behavioral data, the report states. The moves come before the Digital Advertising Alliance (DAA) has published any mobile guidelines . DAA Counsel Stu Ingis said those guidelines could come “this spring—a few weeks to a couple of months.” TRUSTe’s Kevin Trilli said, “That is why we didn’t wait, and why we just started to build.” [AdAge]

WW – Mozilla Readies Third-Party Cookie Blocker

In a preview version of its Firefox 22 web browser, Mozilla has included an automatic third-party cookie blocker, putting the company “on a collision course with the online ad industry.” Some trade groups say the new feature, called Aurora, is “dangerous and highly disturbing” and warn that users will experience more ads as a result. Stanford University graduate student Jonathan Mayer, creator of the code, tweeted, “The new Firefox cookie policy has migrated to Aurora!” Firefox 22 is expected to fully release in late June. [COMPUTERWORLD]

WW – Firefox Announces More DNT Options

Seth Rosenblatt reports on Firefox’s “more nuanced approach” to implementing its Do-Not-Track (DNT) setting and efforts to provide additional user choice. Firefox engineers describe the past practice of “on” or “off” DNT implementation in light of what they describe as the “three states of Do Not Track.” Firefox’s Tom Lowenthal explains, “DNT:0 means, ‘I consent to being tracked.’ DNT:1 means, ‘I object to being tracked.’…When DNT is off, it doesn’t mean ‘please track me.’ It means that the user hasn’t told the browser their choice yet.” Rosenblatt notes, “What’s not clear is how sites react to that.” [CNET]

US – New Tool Encrypts Online Photos So They’re Only Visible to Friends

A team of researchers from USC has developed an encryption tool that makes your photos grey and unrecognizable to everyone but your (Facebook) friends. With a new cloud-based photo-encryption service, you won’t have to trust Facebook or any other online service to keep your photos private. A team of researchers at the University of Southern California developed the tool, dubbed “P3” for “Privacy-Preserving Photo Sharing,” which pulls a small amount of data out from digital photos and encrypts it into a key that can be shared with friends. The unencrypted, but unrecognizable part of the photo is posted online as a grey image that doesn’t have any clear detail and can only be viewed by those with whom the encrypted key is shared. It’s not only made for Facebook, but for any cloud-based service like DropBox, Flickr or any other way people share photos, even chat services and forums.While they have a prototype, they haven’t yet decided how it will be marketed, but hope to have a company set up by the summer. So those estimated 250 million photos uploaded to Facebook each day will have to remain unencrypted and arguably unsecure, for the time being. [Source]


UK – Device Losses Lead to Inquiry

The Information Commissioner’s Office (ICO) is looking into the BBC’s recently reported loss of 785 devices. An ICO spokesperson said the office had not been informed of the incident, but it will “be making further enquiries into the loss of this equipment to find out the full details.” A freedom of information request revealed 399 laptops, 347 mobiles and 39 tablets lost or stolen at the BBC, which the report states is “probably low” for an organization of its size. The BBC told V3 that it has no official figures on how many devices have been issued to staff. []

US – 93% Knowingly Breach Company Data Policies

A recent breach affecting St. Louis-based Schnucks supermarket chain was exacerbated by the company’s inability to detect the source. As a result, the number of credit and debit cards exposed continued to grow, capping at about 2.4 million. The company has hired a third party to investigate. Meanwhile, Global Payments, Inc., says it is closing its investigation of a March 2012 breach that exposed 1.5 million debit and credit cards. The breach cost the company $92.7 million in expenses. And Financial Times reports on a recent survey of 165,000 employees indicating nine out of 10 knowingly breach employers’ data policies. [ComputerWorld]

US – Hotel Data Security Issues on the Rise

There are data security issues within the hospitality industry and an alleged rise in identity thefts and malware attacks. One attorney specializing in hospitality law said, “Data security is becoming an issue of significant importance in the hospitality industry.” Hackers now attack hotel systems and data in third-party reservation systems not only for credit card data but for additional personal information, including address, license plate number and date of birth, all of which aid in identity theft. [Chicago Tribune]


US – Case May Determine Text Message Privacy Rights

The Washington State Supreme Court is expected to hear two cases next month involving the privacy of text messages in criminal proceedings. In both cases, alleged drug users were arrested after police intercepted their text messages without a warrant. An earlier appellate court case ruled the expectation of privacy of text messages “terminates upon delivery.” Calling text messaging “the 21st-century phone call” in an amicus brief, the Electronic Frontier Foundation has argued the lower court’s decision to uphold the warrantless case “ignored the technological realities of text messaging and threatened to erode privacy protection to a ubiquitous form of communication in the United States.” The high court will hear arguments on May 7. Meanwhile, customers suing Apple for privacy violations are seeking monetary sanctions in a pretrial discovery dispute. [Courthouse News Service]

US – Tracking Study Habits: “It’s Big Brother, Sort of, But With a Good Intent”

Professors at nine colleges are testing technology that allows them to get detailed reports of their students’ study habits through digital textbooks. While students’ digital textbook use has been tracked for a while now, CourseSmart individually packages information on all the students in a professor’s class. The start-up says that surveys indicated few privacy concerns, but one student who uses non-tracked forms of studying worries, ““If he looks and sees, ‘Hillary is not really reading as much as I thought,’ does that give him a negative image of me?” More than 3.5 million students and educators currently use CourseSmart textbooks, and the program is expected to be introduced broadly in the fall. [The New York Times]

US – NYC Awareness System Raises Privacy Concerns

New York City’s Domain Awareness System (DAS), which combines police know-how with computer algorithms, is reportedly making the city money and making it safer, but some worry it is also invading people’s personal privacy. The system combines more than 3,500 publicly placed cameras, license-plate readers “at every major Manhattan entry point,” radiation detectors and real-time 911 alerts with “a trove” of police data. The success of the DAS has generated interest from other municipalities, but others worry the invasion of privacy will be “much greater than anything we have seen so far.” In another surveillance story, the Office of Naval Research aims to use autonomous technology to patrol and map the ocean. [The New York Times]

Telecom / TV

US – California AG Harris Urges App Developers to Respect Users’ Privacy

The wealth of personal data that mobile apps collect on their users needs to be conspicuously stated to consumers or developers could face legal heat, California attorney general Kamala D. Harris said. Rather than resorting to subpoenas and enforcement actions, the California attorney general’s office is in the midst of a crusade of sorts built around encouraging app developers, and Internet services firms in general, to become compliant with state privacy laws on their own accord. Last year, for instance, the office reached an agreement with a number of major tech companies, including Facebook and Google, to make the privacy policies for those companies’ mobile apps available to consumers in the Apple App Store and Google Play Store before the download process rather than after. The idea is to encourage technology companies that have access to users’ personal identifiable information such as geolocation and contact lists to better inform consumers how that information is used so consumers can make better decisions about using the app in the first place. A major law at the center of the issue in California is the Online Privacy Protection Act, which requires operators of websites and online services, including mobile and social apps that collect personally identifiable information from Californians, to clearly post a privacy policy. The state has already sued Delta Airlines for failing to comply with the law; that case is ongoing. [Source]

WW – Android Apps Found To Have Breached User Privacy: Study

Android phone users have been warned to check app permissions after it was found that some popular apps upload mobile numbers to third-party entities without notification. According to a new study by Bitdefender, 12.87% of 130,000 free Android apps sent user phone numbers to third-party servers. The researchers found that Texas Poker by Kama Games and Paradise Island by Game Insight International accessed user data. Location and personal email addresses were also distributed to third parties by 12.03%  and 7.72% of the apps analysed. Approximately 6% of apps accessed browsing history. According to Bitdefender chief security strategist Catalin Cosoi, the line between third-party advertisers and malware is becoming more blurred. “While malware may steal passwords and other credentials, aggressive advertisers may collect everything else,” he said. “Although violating user privacy raises serious concerns, the risk of having collected data used for malicious purposes is greater than most people imagine.” [Source]

WW – Opinion: Facebook’s ‘Not-A-Phone-But-More-Than-An-App’ Home

Facebook released a mobile thing today. It’s not a Facebook phone. But it’s more than an app. It’s like a digital skin that you slide your phone into so that it’s covered in sticky Facebook goodness. It’s a thing that you will be able to get pre-installed on some Android phones or download from Google Play. It will basically turn your phone’s face into a slideshow version of the Facebook News Feed — photos, check-ins and status updates will flip past and you will be able to “like” them by tapping your phone. It will make frictionless sharing EVEN MORE FRICTIONLESS as you will be able to have mobile apps open inside of Facebook and share instantly. Most importantly, Facebook is bringing us a new bit of terminology with the new Home which Facebook describes as “[not] a phone or operating system [but] more than just an app”: “Chat Heads.” When you get a message from a friend, their head appears on your phone and it will follow you around from screen to screen until you read their message or swipe them away. I suspect the term “Facebook Friends” is about to be replaced by this one, as in, “I don’t really know him that well, he’s just a Chat Head.” Home could be a GPS jackpot for Facebook. If users actually take to Home, Facebook has come up with an excellent way to get people to have Facebook running on their phones all the time. That means Facebook will be able to constantly collect location information from them, making Facebook even more attractive to advertisers looking to deliver ads based on who you are, where you are and what you’re doing. The privacy issues were not missed by Om Malik at GigaOm: The phone’s GPS can send constant information back to the Facebook servers, telling it your whereabouts at any time. So if your phone doesn’t move from a single location between the hours of 10 p.m. and 6 a.m. for say a week or so, Facebook can quickly deduce the location of your home. Facebook will be able to pinpoint on a map where your home is, whether you share your personal address with the site or not. It can start to build a bigger and better profile of you on its servers. It can start to correlate all of your relationships, all of the places you shop, all of the restaurants you dine in and other such data. The data from accelerometer inside your phone could tell it if you are walking, running or driving. As Zuckerberg said — unlike the iPhone and iOS, Android allows Facebook to do whatever it wants on the platform, and that means accessing the hardware as well. [Forbes]

US Government Programs

US – EPIC Urges Distinction between Cybercrime and Cyberterrorism

The Electronic Privacy and Information Center (EPIC) wants the US National Institute of Standards and Technology (NIST) to make clear distinctions between cyber crime and cyber terrorism. NIST is developing a cybersecurity platform as part of the president’s executive order on cybersecurity, and asked for public comments on the development of that platform. In its comments, EPIC notes that “the overwhelming majority of cybersecurity incidents do not fall within the ‘national security’ designation.” [Source]

US Legislation

US – White House: CISPA Not Doing Enough for Privacy

The Obama administration has issued a statement indicating it is unlikely to support the Cyber Intelligence Sharing and Protection Act (CISPA) in the form passed this week by the House Intelligence Committee. “While stopping short of an outright veto threat that many privacy activists may have wanted, the statement made clear that the administration does not believe the bill in its current form does enough to safeguard personal information,” the report states. The committee voted 18-2 in support of CISPA after removing four amendments aimed at increased privacy protections. [Los Angeles Times]

US – Revamped CISPA to Go to Committee Vote

The House Intelligence Committee this week will discuss the Cyber Intelligence Sharing and Protection Act (CISPA), which would provide companies “lawsuit immunity in the case of data exchange.” Changes to the proposal haven’t been announced yet, but some say it will require stronger data anonymization and use restrictions in hopes of allaying the Obama administration’s privacy concerns—which lead to threats of a veto last year. “We need to get a little more specific in terms of what type of information we’re sharing and under what circumstances,” said George Washington University Homeland Security Policy Institute Director Frank Cilluffo. CISPA is slated for a committee vote April 10 in a closed session.[ZDNet]

US – Rep to Propose CISPA Amendment; Franken to Reintroduce Bill

Rep. Adam Schiff (D-CA) will propose an amendment to the Cyber Intelligence Sharing and Protection Act (CISPA) to address privacy advocates’ major concerns. Schiff’s amendment would require companies to strip any information “that can be used to identify a specific person unrelated to a cyber threat” before sharing the data with the government or other third parties, the report states. The bill is to be discussed in a closed-door meeting of the House Intelligence Committee next week. Meanwhile, Sen. Al Franken (D-MN) plans to reintroduce his Location Privacy Protection Act and recently admonished retail analytics firm Euclid for the opt-out nature of its data collection practices. [The Hill]

US – Advocates Want House to Debate CISPA Openly

Privacy groups are calling on U.S. lawmakers to make significant changes to the Cyber Intelligence Sharing and Protection Act (CISPA). The 41 groups include the Center for Democracy and Technology, the ACLU and the Electronic Frontier Foundation, and they want the House Intelligence Committee to debate the bill publicly rather than behind closed doors. While Rep. Mike Rogers (R-MI) said recently that concerns with CISPA are due to bad PR, the ACLU says everyone, “from the privacy community to the president, agrees that CISPA is bad on privacy.” Meanwhile, a recent survey indicates data security concerns from American Chamber of Commerce members operating in China are on the rise. [COMPUTERWORLD]

US – The Challenges of Geography-Based Regulations

San Francisco Chronicle explores the challenges that come with geographically differing regulations for online privacy. California, for example, has more defined privacy laws than other U.S. states, but non-California-based Internet companies accessed by California residents are still required to follow California law. Developer Jonathan Nelson says, “The thought of an ‘international boundary’ when it comes to data is really silly to me,” adding, “It’s archaic.” But the EU is also considering regulations that say any online business used by EU citizens is subject to EU privacy laws. Parker Higgins of the Electronic Frontier Foundation adds, “The best approach isn’t necessarily legislating every situation” but “giving consumers the information they need to make choices for themselves.” [Source]

US – Idaho Passes Drone Privacy Law

Amid growing concerns over privacy, Idaho Governor C.L. “Butch” Otter signed a law restricting the use of unmanned aerial aircraft (UAV) by law enforcement and other public agencies. Idaho now becomes the second state, after Virginia, to pass legislation limiting UAV use. To use the burgeoning technology, law enforcement will need to obtain a warrant prior to collecting evidence on suspects, unless the criminal activity involves illegal drugs or if the UAV is being used for public emergencies or rescue missions, the report states. Idaho Assistant Majority Leader Chuck Widner said, “We’re trying to prevent high-tech window-peeping.” [Chicago Tribune]

Workplace Privacy

US – Retailers Track Employee Thefts in Vast Databases

The New York Times reports on databases created by retailers across the nation that track employees accused of workplace theft. Retailers tap into the databases in order to avoid applicants who have been accused of such crimes by previous employers. In many cases, the report states, employees “have no idea that they admitted to committing a theft or that the information will remain in databases.” Presently legal, the databases are being scrutinized by the Federal Trade Commission for potential violations of the Fair Credit Reporting Act. One lawyer familiar with the system said such a database is a “secret blacklist” and added, “The employees don’t know about it until they have already been hurt.” [Source]


16-31 October 2012



US – FTC Releases Facial Recognition Best Practices

The Federal Trade Commission has released recommendations for companies using facial recognition technology. “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies“ recommends that companies design their services with consumer privacy as a consideration; develop reasonable security practices; assess the sensitivity of the information that is collected, and make sure consumers are aware when a facial recognition technology is being used. “Fortunately, the commercial use of facial recognition technologies is still young,” the staff report states. “This creates a unique opportunity to ensure that, as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer.” [Source] [Source] SEE ALSO: [EU – Referral Decision to the European Court of Justice re: refusal to provide biometric data in relation to travel documentation and passports – The Council of State, Netherlands]

WW – The Emergence of Emotion-Sensing Technologies

Improved facial recognition technologies are now capable of sensing human emotions such as anger, sadness and frustration. Affective computing is currently being developed to assess a wide range of applications from reading student interest in the classroom to helping those on the autism spectrum understand the emotions of others. Emotionally aware devices, however, give “many people the creeps,” the report states. Oxford University Future of Humanity Institute Director Nick Bostrom said, “We want to have some control over how we display ourselves to others,” adding, “it’s not obvious the world would be a better place” with such technology. [The New York Times] SEE ALSO: [Smart Cameras Predict Human Behavior]


CA – Online surveillance Set as Tories’ Bill C-12 Comes Up for Second Reading

The Conservative government’s widely criticized online surveillance legislation may be on the back burner, but another bill that would expand police access to Internet users’ data is about to resurface. Bill C-12 would make it easier for authorities — possibly including private security firms — to obtain information about subscribers from Internet service providers, email hosts and social media sites on a voluntary basis. The legislation also includes provisions that could effectively impose a gag on the companies, preventing them from telling customers their personal details have been shared. Government House leader Peter Van Loan recently signalled the little-noticed bill could come up for second-reading debate as early as next week. The likely re-emergence of the bill comes eight months after a storm of outrage over another, highly publicized attempt to boost Internet surveillance. Bill C-30 alarmed civil libertarians because it would allow authorities access to Internet subscriber information — including names, addresses, telephone numbers and email addresses — without a warrant in cases where companies refused to provide it voluntarily. [National Post] SEE ALSO: [Canadian police urge Parliament to pass domestic spying bill]

CA – Canadian, German Data Protection Watchdogs Join Forces

The German and Canadian data protection commissioners signed an agreement that aims to ensure people’s digital privacy will be better protected if data travels across borders via the Web, the authorities announced. International cooperation could help put companies like Facebook and Google on a privacy leash. Both countries will inform each other about important events and complaints and will cooperate on specific cases, the authorities said in a news release. Although there have not yet been cases where the data protection authorities might have wanted to work together, Peter Schaar, the German Federal Commissioner for Data Protection and Freedom of Information, said international cooperation is needed in cases dealing with companies like Google and Facebook. Both data protection agencies are striving to expand their coordination with counterpart agencies around the world, they said. At the 34th International Conference of Data Protection and Privacy Commissioners at the end of October in Uruguay, Canada and Germany plan to discuss extending their cooperative agreement to more countries. [IDG News Service]

CA – Federal Confusion Undermines No-Fly List, Spy Watchdog Says

The federal spy watchdog says confusion over how Canada’s no-fly list should work has “significantly undermined” its potential to help keep the skies safe. In its newly released annual report, the Security Intelligence Review Committee reveals there is uncertainty in government over who should be on the no-fly roster. Under the program in place since June 2007, airlines rely on a list of individuals considered “an immediate threat to civil aviation” should they board an aircraft. The review committee says, however, that description is open to interpretation, and federal agencies have “struggled” with nominating people for the list. The review committee also raises concerns about CSIS’s information exchanges with foreign counterparts — a sensitive issue given the possibility such sharing can lead to the torture of people detained in overseas prisons. The committee identified problems with:

 - CSIS’s efforts to obtain assurances from foreign partners when receiving information from them.

 - the attachment of caveats — or restrictions on use — when providing information to a foreign agency.

 - the sharing of information on young offenders.

The watchdog concluded there was a “lack of clarity and absence of guidelines” on assurances from foreign partners when information-sharing poses a substantial risk of torture. It also found the use of specific caveats was inconsistent — noting up to a dozen different ones had been attached to files shared in recent years. The review committee recommends CSIS develop policy and direction on the use of assurances, and that it revise its policy on caveats. [CBC News] SEE ALSO: US – Experts warn about security flaws in airline boarding passes] AND [Auditor General report: Canada’s online security centre not operating around the clock]

CA – Federal Privacy Commissioner Satisfied With Response from ‘Leaky’ Web Sites

Privacy Commissioner Jennifer Stoddart says she’s pleased with the progress made by organizations flagged as raising privacy concerns. In September, Stoddart said some leading Canadian websites were inappropriately sharing users’ personal information with third parties. After investigating 25 shopping, travel and media sites, Stoddart wrote to 11 of them asking for changes in order to comply with Canadian privacy law. A Stoddart spokesperson said she’s “pleased that they appear to be taking this issue very seriously,” and the office is now analyzing their responses for continued discussions. []

CA – Ontario Commissioner Releases Paper on Personal Data Ecosystem

Information and Privacy Commissioner of Ontario Ann Cavoukian, with co-authors from Europe and the U.S., has released a paper, Privacy by Design and the Emerging Personal Data Ecosystem, that highlights new technologies enabling Internet users to have more control over their data. “Privacy is all about control,” Cavoukian says in a news release, adding, “that is why I am taken with the promise of the emerging Personal Data Ecosystem. New technologies…give individuals a central point of control for their personal information and the ability to decide what information to share, with whom and under what conditions.” [News Release] See also: [NYT: New Online Storage Service to Put Users in Charge] AND [US – Data Deluge Creates Privacy Issues]


WW – Transaction Data-Sharing Rising; Consumers Want Control Over PI, Says Survey

MasterCard is currently reviewing transaction data to help marketers improve targeted advertising. MasterCard Senior VP of Media Solutions Susan Grossman said, “The foundation of all our solutions is transaction data.” A company spokesman said MasterCard is “committed to protecting individual privacy” and that shared data is anonymous and aggregated. Wired reports on potential business ventures for Amazon. A representative from a digital ad agency said, “With rich data on its users, Amazon is uniquely positioned to match advertisers with shoppers.” Meanwhile, a TrustedID survey has revealed that less than 20% of consumers have a good understanding of “data brokers.” [Financial Times]


US – Presidential Campaigns Ramping Up Online Tracking

The New York Times reports on the online tracking of consumers by both U.S. presidential campaigns. “One of the hallmarks of this campaign,” the article states, “is the use of increasingly complex—but not always accurate—data-mining techniques to customize ads for voters based on the digital trails they leave as they visit Internet sites.” According to an Evidon report, both campaigns have increased their online tracking beyond that of many popular retailers, the report states. Some privacy advocates worry that collected data could be used for secondary purposes, giving businesses a window into users’ political beliefs. The ACLU’s Chris Calabrese said, “We simply don’t know how this information is going to be used in the future and where it is going to end up.” [NYT] SEE ALSO: [AU – Site names homeowners – concern over website’s breach of privacy]


US – Inspector General: Lack of Encryption Software Puts Vet Data at Risk

Encryption software purchased for PCs and laptops at the U.S. Department of Veterans Affairs (VA) has been installed on only 16% of computers, according to the department’s inspector general. The software was purchased six years ago after a high-profile data breach involving the loss of information on 26 million veterans and costing $20 million to clean up. An anonymous tip that the software was not being implemented prompted the inspector general to investigate. The inspector’s subsequent report states that veterans’ data “remained at risk due to unencrypted computers.” The VA says it plans to complete installing the software by September 2013. [InformationWeek] [Inspector-General report]

UK – RSA Splits Passwords in Two to Foil Hackers’ Attacks

A product that scrambles and then splits users’ passwords in two before storing them on different computer servers has been unveiled by RSA. The security firm says the facility offers better protection against hackers, who would only gain access to half a “randomised” password in the case of a successful attack. The firm said the idea had been discussed by academics for some time. However, one expert said it would only prevent a minority of attacks. RSA’s distributed credential protection (DCP) facility was announced at the company’s annual European Conference in London. “DCP scrambles, randomises and splits sensitive credentials, passwords and Pins and the answers to life or challenge questions into two locations,” said the firm’s marketing manager Liz Robinson. “This is especially important in today’s landscape as we’ve seen over 50 million passwords stolen in large data breaches in 2012 alone.” [] SEE ALSO: [Top 25 common, attackable passwords: Stop using ‘ninja’ and ‘jesus’]

EU Developments

EU – Justice Committee Calls for Changes in Draft Data Protection Proposals

The Justice Select Committee has said the European Data Protection proposals “need to go back to the drawing board.” The committee says in a new report that the updates to data protection laws are “too prescriptive” and don’t allow necessary flexibility for data protection authorities or organizations that retain personal data. The proposals should focus on the commission’s objectives while compliance should be monitored by member states, the committee suggests. The committee noted its support for the draft law’s provisions that would give individuals increased control of their data, allow for data erasure or removal and harmonize laws across regions. [] SEE ALSO: [EDPS – Comments on DG Connect’s Public Consultation on Improving Network and Information Security (NIS) in the EU] SEE ALSO: [EU – RSA’s Coviello calls for privacy laws to be overhauled to improve security]

US – FTC Declines to Comment on EU’s Call for Privacy Policy Changes

Following French DPA (CNIL) President Isabelle Falque-Pierrotin’s announcement on calls for Google to revise its privacy policy, the U.S. has “declined to join European criticism.” Falque-Pierrotin had asked the FTC’S David Vladeck to support a letter that Dutch DPA Chairman Jacob Kohnstamm previously confirmed was endorsed by 27 EU member states, Canada and some countries in Asia. Vladeck declined, and the FTC has not commented on whether it is investigating privacy issues raised in the letter, the report states. “We would have been happy if they would have signed it,” Falque-Pierrotin said, adding, “I think they will study it and have their own conclusions.” [The Washington Post]

EU – Reding Hints at Data Protection Concessions for SMEs

At a Home Affairs Council meeting in Luxembourg last week, EU Justice Commissioner Viviane Reding said she was willing to offer some concessions to small-medium enterprises (SMEs) and the public sector in revisions to the data protection regulation. Though the regulation needs the “right firmness of touch,” Reding said she did not want SMEs to be overburdened. “The commission is prepared to look at whether this SME exemption could be broadened to other areas and that we can also look to add further flexibility through an approach that takes into account the amount and sensitivity of the data processed,” Reding said, adding, “One thing is clear: There can be no general exemption for the public sector.” [COMPUTERWORLD UK]

EU – Council of Europe Promoting Latin American Data Protection

The Council of Europe is encouraging non-EU member states to ratify Convention 108—the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. Uruguay, which recently hosted an international privacy conference, has initiated the ratification process, possibly becoming the first non-Council of Europe member state to do so. Council of Europe’s Jörg Polakiewicz said, “The eventual accession of Uruguay will be a key step towards the global promotion of the convention and intergovernmental cooperation on personal data protection,” adding, “We are sure, hopefully, that Uruguay will be the first of many non-European countries to join the treaty.” [MercoPress]

UK – ICO Looking Into Police Data Collection, Retention

The Information Commissioner’s Office (ICO) is investigating claims against Kent police over data collection and retention activities. A spokesman for the ICO said, “If police forces are examining the content on mobile phones and are wanting to use that information, this would need to comply with the Data Protection Act.” He added the office is “looking at this issue and will be considering whether any action is necessary to help ensure compliance…” Meanwhile, a spokesman for the Home Office said that although information about suspects is crucial, police “should only be extracting and retaining data relevant to criminal investigations or for other permitted purposes.” [This is Kent]

UK – UK ICO Updates Guide to ICO Data Protection Audits, Version 2.0

The audit guidelines have been updated to reflect the likelihood of follow-up action after the original audit has been completed, based on the original audit findings – a high assurance of data protection was found (there will be no follow up), a reasonable assurance of data protection (an e-mail follow up will be conducted at 6 months and a short summary report will be produced), limited assurance of data protection was found (an e-mail follow up will be conducted at 6 months to determine whether a follow up visit is required) and very limited assurance of data protection was found (3 monthly updates will be required from the organisation, as well as a full update at 12 months, and a follow up site visit will probably be required). [Source] SEE ALSO: [UK Information Commissioner’s Office – Audit: A Guide to ICO Privacy and Electronic Communications Regulations Audits] AND [UK Information Commissioner’s Office – Audit Outcome Analysis: Central Government – February 2010 to July 2012] AND [UK Information Commissioner’s Office – Audit Outcome Analysis: National Health Service (NHS) – February 2010 to July 2012] AND [UK Information Commissioner’s Office – Surrey and Sussex Probation Trust – Data Protection Audit Report Executive Summary] AND [Datainspektionen, Sweden – Decision – Uppsala County Council Hospital is Correcting Deficiencies: the Data Inspection Board (“DIB”) issues a decision regarding a hospital’s shortcomings in its IT systems regarding doctor access to medical records]

UK – ICO Fines Council £120,000 After Child Data Breach

The Information Commissioner’s Office (ICO) has fined Stoke-on-Trent Council £120,000 after sensitive personal information was e-mailed to the incorrect recipient. The council failed to resolve issues raised by an earlier and similar incident by failing to provide a legal department with encryption software and lacking data protection training, the report states. ICO Head of Enforcement Stephen Eckersley said “the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.” [] SEE ALSO: AND [UK – Information Commissioner’s Office – Data Protection Act 1998 Monetary Penalty Notice – Norwood Ravenswood Limited]

EU – Regulators Looking Into Microsoft Changes

Luxembourg and other EU data protection commissions (DPCs) are looking into whether changes Microsoft made to its Internet products Hotmail and Bing bring new privacy risks for users and comply with the region’s standards on notice and choice. President of the Luxembourg DPC Gerard Lommel acknowledged that possible issues “can neither be excluded nor confirmed” in this case, suggesting the review is not on the level of a recent investigation into Google’s privacy policy changes “where clear privacy issues had been identified.” [The Washington Post] SEE ALSO: [EU – European Commission v. Republic of Austria – Case C-614/10 – European Court of Justice]

EU – Court Rules Austria DPA Needs More Independence from Gov’t

The Court of Justice of the European Union (CJEU) has ruled that the Austrian government has not complied with EU law as it has not provided its data protection authority (DPA), the Datenschutzkommission, with “complete independence.” In order to attain “complete independence,” the CJEU ruled that DPA staff must not share offices with government officials; must not be required to provide the government with “unconditional” access to information about the DPA’s work, and an individual heading a DPA must not simultaneously hold other government positions. During a speech in Brussels, the European Data Protection Supervisor called the decision a “great day for data protection in Europe,” while also discussing the relationship between the proposed EU regulation and the e-Privacy Directive. []

UK – Graham: “Important Data Protection Principles at Stake”

Information Commissioner Christopher Graham told a committee of MPs recently that the draft Communications Bill, currently in front of Parliament, may miss its intended mark and instead uncover “incompetent and accidental anarchists” rather than the “really scary people.” The bill would see Internet service providers (ISPs) required to store communications data for at least one year, but Graham says it may only apply to the six largest companies, adding, there are “important data protection principles at stake. There is a judgment to be made between the security community saying ‘we have to have this stuff’ and the civil liberties community, which says this is a gross intrusion of privacy and of citizens’ rights.” [BBC News]


WW – Twitter Posts Notices for Copyright-Deleted Tweets

Twitter has made a significant shift in how it responds to copyright complaints. In the past, such complaints meant that tweets would vanish without a trace but now people can see the place where the tweet once stood — and reaction to its disappearance. [GigaOm]


WW – PCI Council Says Payment Regulation Is Challenging

PCI Security Standards Council European Director Jeremy King has said the council was “surprised at how fast new technologies were coming along” in the mobile payment landscape. King added, “Mobile technology is still new, and there is still no knowledge of how to do mobile security.” Analyst Alan Goode said challenges not only reside on the security side but in the authentication and data protection spheres as well. “It is difficult to regulate and ensure data is protected,” he said, adding, “With mobile you can do it right, providing that the data is protected and assured.” [SC Magazine]

US – Credit Report Data Security Questioned

The theft of credit reports raises questions of whether adequate security is being employed to protect credit reporting databases. Instead of directly targeting the big three credit bureaus, data thieves often target affiliated businesses that utilize credit background checks. Sen. Richard Blumenthal (D-CT) said, “This is profoundly important because it illustrates a growing problem when it comes to data breaches and security—the chain is only as strong as its weakest link,” adding, “If their customers have inadequate security practices, so do the credit bureaus.” A spokesman for Experian said, “We continue to invest in the security systems we have in place to protect our clients and consumers.” [Bloomberg] see also: [CA – TD Bank missing data could affect 1,000 Canadians with U.S. accounts] SEE ALSO: [US – Can’t fix error in your credit report? Call Consumer Financial Protection Bureau] AND [“Lagarde list” of Greek depositors in Swiss bank leaked, journalist arrested for breach of privacy]


CA – Federal Gov’t Plans Online Pilot Project for Access-to-Information Requests

Canada’s archaic access-to-information regime is about to establish a toehold in the online world. The Harper government plans a pilot project early next year to allow ordinary citizens and others to request internal documents under the Access to Information Act via the Internet. The one-stop online portal would route each request to the proper department, allow fees to be paid electronically, and permit detailed tracking of the processing of the file. The initiative will begin with just three departments, but is to include most federal agencies and institutions over the next three to four years. Canada, once considered a global leader in freedom of information, has since become a laggard, with one 2011 study ranking the country 40th among 89 nations with similar transparency laws. [Source] [Canadian government revamping open data portal] SEE ALSO: [Ontario ombudsman André Marin says municipalities ‘shockingly secretive’]

US – Gazette Sues City for Records of Employee Discipline for Internet Abuse

The Billings Gazette filed a lawsuit against the city of Billings, asking for the release of public records dealing with city workers who were disciplined for viewing inappropriate websites on the job. The state District Court lawsuit seeks a court order compelling the city to produce documents in the case of five workers who were suspended without pay for five days last spring. In the lawsuit, Gazette attorney Martha Sheehy cited the right-to-know provision of the Montana Constitution and said the city “impermissibly violated the public’s right to inspect and copy documents held or generated by a public body.” The city has not identified the five workers and would not say what positions they held or where in the city they worked. “The law is well settled,” the suit says. “Public employees who occupy positions of trust have no legitimate right to privacy to investigations of their conduct.” The suit further says that managerial employees “clearly had no reasonable expectation of privacy” and nonmanagerial employees “have limited privacy interests in the misuse of government time and computers in the accessing of inappropriate internet sites.” “The public’s right to know clearly outweighs any privacy interests which might be asserted by a public employee disciplined for accessing or repeatedly attempting to access inappropriate materials while at work for the City,” the suit continues. In addition to asking for a court order requiring the city to produce the requested documents, the suit asks that the city pay the newspaper’s attorney fees and costs. [Source] SEE ALSO: [IPC ON – Order PO-3110 – Appeal PA11-347 – Ministry of Health and Long-Term Care]


US – Citing Privacy Concerns, U.S. Panel Urges End to Secret DNA Testing

They’re called discreet DNA samples, and the Elk Grove, California, genetic-testing company easyDNA says it can handle many kinds, from toothpicks to tampons. If the availability of such services seems like an invitation to mischief or worse – imagine a discarded tissue from a prospective employee being tested to determine whether she’s at risk for an expensive disease, for instance – the Presidential Commission for the Study of Bioethical Issues agrees. On Thursday it released a report on privacy concerns triggered by the advent of whole genome sequencing, determining someone’s complete DNA make-up. Although sequencing “holds enormous promise for human health and medicine,” commission chairwoman Amy Gutmann told reporters, there is a “potential for misuse of this very personal data.” The bioethics panel recommends a dozen forms of privacy protection, including that “surreptitious commercial testing” be banned: No gene sequencing or other genetic testing should be permitted without consent from the person the DNA came from, it said. About 25 states currently allow such DNA testing. The full report from the presidential commission is at [] [US Panel: Protect patients who use whole genome sequencing] SEE ALSO: [IN – Department of Biotechnology, Government of India – Draft Human DNA Profiling Bill 2012]


US – Policies of Google and Others Said to Mean Privacy Risks For ‘Cloud’ Users

The privacy policies of Google and other tech firms could allow them to mine personal data held by government agencies that use cloud-based e-mail, database and document services, an industry group warned. The group,, a consortium of industry experts promoting safe government use of cloud services, raised the concern as Google has sought to defuse controversy over changes to its privacy policy that allow for more extensive tracking of consumers. first highlighted this issue in January after Google announced plans to consolidate its privacy policy across more than 60 services, including Gmail and YouTube, allowing tracking of users as they move among those sites. The group recently renewed its call for greater safeguards after European data-protection commissioners last month identified significant legal shortcomings in the policy and called for changes. Google officials say the changes to its privacy policy do not affect the bundle of productivity software it sells to governments, which are governed by contractual provisions. “The privacy policy as written gives them unlimited ability to mine [data] as they see fit,” said Jeff Gould of says its concerns extend to state and local governments, as well as schools and other public institutions. “It’s just not appropriate to have data mining,” Gould said. “If they’re not doing that, then let them say that.” [The Washington Post] SEE ALSO: Europe: [Google’s privacy policy under fire] AND [NYT: Larry Page Defends Google’s Privacy Policy] AND [UK: Google told to fix privacy policy by EU data regulators]

EU – Advocate: Google Data Use Should Be in Antitrust Talks

A European-based consumer rights group has said the European Union should consider Google’s access to personal data in its antitrust considerations. Consumer organization BEUC Director General Monique Goyens said in a letter to the EU’s antitrust chief that much of the company’s market advantage is “largely fueled by its access to users’ personal data.” Goyens added, “The privacy policy of Google is directly linked to its dominance in the online search and should therefore be considered as an aggravating factor in your analysis.” [BusinessWeek]

US – Opposition to Google’s Safari FTC Privacy Settlement to Be Heard Next Month

A California court will hear arguments next month against a proposed settlement between Google and the FTC. The $22.5 million settlement is the largest fine handed down by the FTC thus far and stems from Google’s use of cookies to track users of Apple’s Safari browser. Privacy advocates have criticized the settlement for being “too soft,” the report states. Advocacy group Consumer Watchdog will argue at the November 16 hearing that the deal does not prevent Google from conducting similar tracking in the future and does not require the company to destroy information gleaned from past tracking. [IDG News Service]

WW – Google Exec: Internet Evolves Too Fast for Regs

A Canadian policy manager at Google, Colin McKay told a House of Commons committee that the online world moves too fast to create regulations that will endure and that a more enforcement-focused system could curb open discussions between tech companies and regulators. “We would have to consider what the possible repercussions of having that open a discussion, in a system that’s more heavily focused on enforcement, would have on how our products roll out and how the privacy commissioner interprets our actions,” McKay said, adding, the two sides now engage in constructive dialogue and companies respond quickly to rulings. [The Canadian Press] SEE ALSO: [CA – OPC – Letter to the French Data Protection Authority Regarding its Review of Google’s Privacy Policy] and [CA – Wayne Plimmer v. Google Inc. – Class Action Complaint – Supreme Court of British Columbia] and [US – Brad Scott and Todd Harrington et al. v. Google, Inc. – Defendant Google Inc.’s Motion to Dismiss Plaintiffs’ First Amended Class Action Complaint – United States District Court Northern District Of California, San Jose Division] AND [AU – student data stored for Google ads] AND, finally: [Google allows anyone with a Web browser to peer into data centers that power its services]

Health / Medical

UK – NHS lost 1.8 Million Patient Records in a Year

More than 5,000 confidential patient records are being lost by the NHS every day, according to new figures. Official statistics showed that at least 1.8 million sensitive papers went missing throughout the health service in just 12 months. Among the breaches included data security records dumped in public bins and electronic records found for sale on an internet auction site. Other security lapses involved details of terminally ill patients being faxed to the wrong number, patient records being stolen and posted on to the internet and unsecured laptops being stolen from homes of staff members. Campaigners today labelled the disclosures as worrying lapses in date protection laws and called for systems across the NHS to be tightened. [Telegraph Reporters] SEE ALSO: [US – Seeking a difficult balance: The limits of privacy in the emerging healthcare IT ecology] AND [US – Electronic Health Records vs. Patient Privacy: Who Will Win?] AND [US: Centers For Medicare & Medicaid Services (CMS) Falls Short In Response To Healthcare Data Breaches] AND [Ontario College of Physicians keeps secret details of doctor’s incompetence] AND [NYT: Boy Scout Files Give Glimpse Into 20 Years of Sex Abuse]

Horror Stories

US – Breach Report: 174 Million Records Compromised in 2011

According to Verizon’s Data Breach Investigations Report, 174 million records were compromised in 855 data breach incidents in 2011. Calling it “an all-time low” for data breach protection, the report revealed that 96% of organizations required to follow the Payment Card Industry Data Security Standard (PCI DSS) that experienced a breach—according to Verizon’s “caseload”—were not compliant with PCI DSS. The Verizon report stated, “We are seeing a continuing trend whereby more of the organizations that fall in the 96% tend to be on the small side,” adding, “In many cases, these organizations have either failed to perform their assessments or failed to meet one or more of the requirements.” []

US – 3.5 Million SSNs Exposed in Data Breaches

A data breach at the South Carolina Department of Revenue has exposed as many as 3.6 million Social Security numbers and 387,999 credit card numbers. The breach was the result of a cyber attack against the department’s systems in mid-September. The Social Security numbers were not encrypted. The state’s chief consumer advocate is calling for privacy laws to be strengthened to tell agencies how to guard against a breach. Meanwhile, employees of the Hillsborough Area Regional Transit Authority in Florida have been alerted that their Social Security numbers and bank information may have been compromised. [SecurityWatch]

WW – Hackers Breach 53 Universities and Dump Thousands of Personal Records Online

Hackers published online Monday thousands of personal records from 53 universities, including Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Zurich and other universities around the world. The group of hackers, calling themselves Team GhostShell, claimed responsibility for the attack on Twitter and published some 36,000 e-mail addresses and thousands of names, usernames, passwords, addresses and phone numbers of students, faculty and staff, to the Web site In most cases the data was already publicly available, but in some instances the records included additional sensitive information such as students’ dates of birth and payroll information for university employees. [New York Times] SEE ALSO: [Spear-phishers lie in wait at ‘watering hole’ websites]

US – PIN Pads Breached at Barnes & Noble Stores

Credit card information of Barnes & Noble customers has been stolen by hackers at 63 store locations across the country. The bookseller discovered the breach in September and was instructed by the Justice Department to keep the matter under wraps so the FBI could investigate. The hackers allegedly accessed the financial data via PIN pads placed at store registers. Though breach notification varies by state, Morrison & Foerster Attorney Miriam H. Wugmeister said, “If you have a breach that included name plus credit card information, but the credit card information was encrypted, you would not have to provide notice.” [The New York Times]

US – Tennessee Hospital Reports Breach

A Tennessee hospital is notifying 27,000 patients that their personal information has been compromised. Blount Memorial Hospital says a laptop was stolen during a burglary in August. The laptop contained 22,000 patient names, dates of birth, addresses and billing information, among other details, and the Social Security numbers of about 5,000 additional patients. The hospital has alerted the U.S. Department of Health and Human Services Office for Civil Rights. [] SEE ALSO: [CA – Lawyers to start process for class action suit over privacy breaches at Peterborough hospital]

US – University of Georgia Notifies 8,500

The University of Georgia (UGA) is notifying 8,500 current and former employees that their personal information may have been exposed. According to UGA Vice President for Information Technology Timothy Chester, “This appears to be a planned intrusion by someone who knew enough about our operations to know which accounts to attack and where the sensitive information was located within the system.” The intruder reset the passwords of two IT department personnel to gain access to the data. “It is clearly a criminal act of computer trespass, and we are working with UGA Police to investigate,” Chester told employees in an e-mail. [SCMagazine]

US – $665,000 or More Expected in Settlement of MN Case

A former police officer may receive more than $665,000 in the settlement of a case where other law enforcement officers illegally accessed her driver’s license information. Her suit alleges 144 law enforcement officers “accessed, used or disclosed her private information approximately 554 times” between 2005 and 2012 “without any legitimate business reason to do so” and names the cities of St. Paul and Minneapolis, MN, among others. A $385,000 settlement is proposed with St. Paul, MN, and a $280,000 settlement was reached during an October 1 court-ordered mediation with the 16 other area cities. A settlement conference with the city of Minneapolis is scheduled for October 25. [KSTP-5 Eyewitness News] see also: [NZ: Independent inquiry into WINZ privacy breach]

Identity Issues

CA – Service Ontario ID Card Changes

In a recent press release, Liz Sandals and Bob Chiarelli, Ontario Minister of Infrastructure, Minister of Transportation announced that the program running the Ontario ID cards is improving. Ontario is making it easier for residents without a driver’s licence to get official, government-issued photo ID. The Ontario Photo Card is now available at the following local ServiceOntario centres: The card will be offered at all ServiceOntario centres throughout the province by December 2012. [Source] SEE ALSO: [New Canadian Passports: Tories Pushed Design In A Historical Direction] AND [CA – Alberta man wins back identity 8 years after losing wallet]

WW – Facebook Removes Two-Factor Authentication Mobile Numbers From Search

Mobile phone numbers used for Facebook’s ‘Login Approvals’ account security feature are no longer searchable through the website. Facebook’s search system provides reverse lookup functionality that allows users to find other people on the website by searching for their phone numbers or email addresses instead of their names. Facebook “Login Approvals” is a two-factor authentication feature that requires users to input special codes sent to their mobile phones in addition to their regular passwords when attempting to authenticate from a new device. The feature is designed to prevent account abuse in cases where the user’s password is compromised. The new restriction only applies to mobile phone numbers used for two-factor authentication, not every phone number added by users in the “Contact Info” section of their profile pages, the Facebook spokeswoman said. Last week, Facebook limited the rate at which phone numbers can be searched on its mobile website in order to block a phone-number harvesting method disclosed by a security researcher. Suriya Prakash, an independent security researcher from India, publicly reported on Oct. 5 that Facebook’s reverse lookup feature can be abused to search for thousands of sequential phone numbers in order to find any Facebook profiles associated with them. [IT World]

Intellectual Property

US – Judge Sets Record $1.5 Million Fine in BitTorrent Case

Kywan Fisher was ordered by an Illinois federal court to pay $1.5 million, or $150,000 for each of the ten movies he downloaded, to adult film production company Flava Works. In a default judgment, the judge set the maximum penalty under U.S. copyright law of ten times statutory damages — the biggest penalty to date in a BitTorrent case. [Forbes]

Internet / WWW

WW – UN Wants “Anti-Terror” Internet Surveillance

The United Nations (UN) has released a report calling for more surveillance of Internet traffic and users for the purpose of undermining terrorist activity. “The Use of the Internet for Terrorist Purposes“ states, “One of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” The 148-page report notes that terrorists use social networks to spread propaganda. UN Executive Director Yury Fedotov said, “Potential terrorists use advanced communications technology, often involving the Internet, to reach a worldwide audience with relative anonymity and at a low cost.” [CNET News] SEE ALSO: [US – Zillow Now Tells the World About Your Foreclosure]

Law Enforcement

US – Minneapolis Police Want to Limit Access to License Plate Camera Data

A Minneapolis municipal committee is now advocating on behalf of local police for a change in Minnesota’s state law concerning the right to access data collected from license plate readers (LPRs). For now, the city maintains a massive database collected from its 11 LPR readers that hold each license plate number seen, along with the corresponding GPS location data, date and time for the previous 90 days. In a recent meeting, the Committee of the Whole Agenda heard discussions regarding a new proposal from the city police department that would restrict access to license plate reader records. Under the proposed rules, only the police would have access to the entire database, and a non-police individual would only be able to access the data that pertained to his or her car. Currently, a rather liberal open records state law known as the Data Practices Act makes all government data public by default. If approved by the Minneapolis city council, such changes could be put forward to the sate legislature as soon as next year. [ars technical]

CA – Police Push for Surveillance, Data-Sharing Legislation

Police chiefs across the country are pushing for controversial Internet surveillance legislation in the name of investigations involving cyber and cell phone technology. The Canadian Association of Chiefs of Police says such investigations are being hampered by antiquated laws and wants Bill C-30 back on Parliament’s agenda, though privacy concerns halted its progress earlier this year. Police say requiring Internet providers to share information on subscribers would allow for better crime-solving and would help thwart cases such as cyberbullying. Meanwhile, Bill C-12, which would facilitate data sharing between online service providers and police, is expected to see a second reading debate soon. [Source] SEE ALSO: [Edmonton police in the wrong for withholding file, rules Alberta’s privacy commissioner]

US – Police May Use Hidden Surveillance Cameras on Private Property Without Warrant

A federal judge in Wisconsin has ruled that law enforcement officers may, in some cases, install hidden surveillance cameras on private property without first obtaining a warrant. US District Judge William Griesbach ruled that the US Drug Enforcement Administration (DEA) acted reasonably when it entered private property without the owners’ permission and without a warrant and installed several hidden surveillance cameras in an operation aimed at gathering evidence that the suspects were growing marijuana. The defendants, who could face life in prison and fines of up to US $10 million, maintain that their Fourth Amendment rights were violated because there were “No Trespassing” signs posted on the 22-acre property. Judge Griesbach adopted a recommendation by US Magistrate Judge William Callahan that said the action did not violate the defendants’ Fourth Amendment rights. The trial is scheduled to begin in January 2013. [CNET] SEE ALSO: [AB – Cops to test ‘body-worn video’ to record police work]


US – Judge Concerned About Warrantless Cell Tracking

A Texas judge has concerns about the ways law enforcement agents are using technology to gain data on cell phones in particular areas. Magistrate Judge Brian Owsley recently denied two federal requests for warrantless cell phone tracking, noting the government should apply for warrants. The judge says he’s concerned agents and U.S. attorneys don’t understand the technology. “Without such an understanding, they cannot appreciate the constitutional implications of their requests,” Owsley wrote in an order last month, adding there has been no discussion around how data retained on innocent people would be used. [The Wall Street Journal]

US – The Growing Use of GPS Tracking Devices

The New York Times reports on the use of GPS tracking devices by families. The small, beeper-like gadgets can be placed in a car to follow a teenager or spouse, in a child’s backpack to ensure the child gets to and from school safely or embedded in medical-alert technology to provide emergency help to the elderly. The user can track a subject’s location via the web or smartphone app—and some companies offer multiple tracking services. This “kind of air-traffic control panel of familial concern” raises issues of privacy and personal space, the report states. [Source] SEE ALSO: [Location-based services: Common sense will keep you safe]

CA – Woman Files Suit Over iPod Location Privacy

A Surrey woman has filed a suit in British Columbia’s Supreme Court alleging Apple’s iOS4 operating system violates users’ privacy rights. Amanda Ladas says her iPod allows anyone with “moderate computer knowledge” to determine her location. The suit, which seeks class-action status, claims Apple has “violated the privacy and security rights” of Ladas and other potential plaintiffs and “has engaged in deceptive acts or practices” entitling plaintiffs to damages. [The Vancouver Sun]


IN – Gov’t Panel Issues Privacy Law Recommendations

A government-appointed panel tasked has issued recommendations identifying privacy issues and preparing a report to facilitate the proposed Privacy Act. Led by former Delhi High Court Chief Justice A P Shah, the group laid out guidelines on telephone tapping and other forms of communications surveillance as well as recommendations to set up national and regional privacy regulators. The group identified differences between existing laws that allow government surveillance, stating, “these differences have created an unclear regulatory regime that is inconsistent, non-transparent and prone to misuse and does not provide remedy or compensation to aggrieved individuals.” [The Times of India]

IN – India Asks EU to Declare it as “Data Secure” Country

The government of India has asked the EU to declare the country as “data secure.” Without a data secure declaration from the EU, sensitive data such as medical information cannot legally flow between the regions. India Commerce and Industry Minister Anand Sharma said, “It is our clear analysis that our existing law does meet the required EU standards. We would urge that this issue is sorted out quickly, and necessary comfort in declaring India data secure in overall sense needs to be given as almost all the major Fortune-500 companies have trusted India with their critical data.” The EU is studying whether India’s laws meet the EU’s directive. [The Times of India]

SG – Gov’t Considers Banning Free Phone Books

Singapore is considering halting the publication of free telephone directories due to privacy concerns. Concerns about the listing of residential and office numbers has prompted the Infocomm Development Authority of Singapore (IDA) to publish a consultation on whether “it is still necessary to maintain the regulatory requirement for Directory Services.” The IDA notes “increasing public awareness, and concerns, about use and protection of personal data.” Singapore’s Parliament passed a data protection law earlier this month that includes a Do-Not-Call registry, provisions on private-sector use of personal data and the creation of a new enforcement agency, which may fine noncompliant organizations. [AFP] SEE ALSO: [PH – High Court in Philippines Suspends Contentious Internet Law]

Online Privacy

WW – Yahoo to Ignore Default DNT Settings

Yahoo has announced that it will ignore Internet Explorer 10’s default do-not-track (DNT) settings, indicating the setting “ignores the wishes of its users.” The browser will continue to offer its Ad Interest Manager, which allows users to make choices about the online ads targeted to them, and other tools. “Ultimately, we believe that DNT must map to user intent-not to the intent of one browser creator, plug-in writer or third-party software service,” Yahoo said in a statement. [InformationWeek] See also: [Letter from John D. Rockefeller to the Federal Trade Commission Regarding the World Wide Web Consortium Deliberations on Do-Not-Track – U.S. Senate] See also: [The Bizarre, Belated Assault on Do Not Track – Leslie Harris and Justin Brookman, Center for Democracy and Technology] AND ALSO: [US – Mozilla stresses privacy while testing new social API in Firefox]

UK – Do Not Track Standard Needs Action Says Commissioner

European commissioner Neelie Kroes has accused members of the online industry of watering down a standard designed to protect consumers’ privacy on the web. Websites are under pressure to allow consumers much greater control over how they are tracked online. But work undertaken by the World Wide Web Consortium (W3C) to create a Do Not Track (DNT) standard was “not going to plan”, said Ms Kroes. She is angry about delays and a proposal to exempt marketing. [] SEE ALSO: [NYT: Privacy Advocates and Advertisers at Odds Over Web Tracking]

WW – Microsoft Alters Its Privacy Rules

A new policy implemented by Microsoft allows it “broad leeway” over how it collects and processes information from consumers using its free, web-based services. Unlike Google’s policy changes earlier this year, “Almost no one noticed” Microsoft’s change, the report states, adding, “The difference in the two events illustrates the confusion surrounding Internet consumer privacy.” Consumer Watchdog’s John Simpson said, “What Microsoft is doing is no different from what Google did,” adding, “It allows the combination of data across services in ways a user wouldn’t reasonably expect.” A Microsoft spokesman said, “one thing we don’t do is use the content of our customers’ private communications and documents to create targeted advertising.” [The New York Times]

WW – Microsoft to Clarify Privacy Rule Changes

Microsoft has said it will clarify part of its new disclosure policy to explicitly state that it will not use personal information gleaned from certain free services for targeted advertising. Rep. Edward J. Markey (D-MA) sent a letter to the company expressing concerns that the move would allow Microsoft to compile “detailed, in-depth consumer profiles.” In a statement, Microsoft said, “We appreciate the feedback we’ve received, and as a result, we will update the agreement as soon as possible to make that point absolutely clear.” [The New York Times]

US – McDonald’s Removes Sharing Feature Following COPPA Complaint

McDonald’s has removed social networking features in some of its online games following complaints from a privacy advocacy group. The Center for Digital Democracy filed a complaint with the FTC last month that the restaurant chain was violating children’s privacy laws by, without requiring parental consent, asking children to list the e-mail addresses of friends as part of a “tell-a-friend” feature on McDonald’s said it has removed the feature and the online security of its guests “remains a top priority.” [The Washington Post]

US – Company Settles Supercookies Lawsuit

An analytics company has agreed to settle a class-action lawsuit over tracking practices. The settlement forbids KISSmetrics from using ETags and other supercookies for tracking purposes without first giving users “reasonable notice and choice” and requires it pay $2,500 each to the two consumers who sued as well as $500,000 in attorney costs. The suit alleged the company violated wiretapping laws by using ETag technology, which can be used to track users’ web movements even after they deleted traditional cookies. [MediaPost] SEE ALSO: [CA – Man distributed sexual images of ex-girlfriend to poison new relationship, court told]

EU – Law Student’s Quest Against Facebook Continues

Austrian law student Max Schrems has said Facebook and European regulators have not done enough to curb what he says are violations against European privacy laws. Founder of “Europe v Facebook,” Schrems is looking to raise approximately 200,000 euros to keep his campaign moving forward. “At the core of the fight is one of the overarching questions of our time: Who has rights to the trillions of bits of data users create online every day?” the report states. Schrems said, “We’re right now defining what our world is going to look like in 20 years.” [The Washington Post] SEE ALSO: [US: Facebook photos point to burglary, party at Tega Cay home] AND ALSO: [US – Obama Worries About Malia Using Facebook, Cites Privacy Concerns] AND [UK – Online life after death needs clear data regulation]

CA – Commissioner Cavoukian Joins the Fight Against Cyberbullying

Online social media networks like Facebook and Twitter appear to have become the new schoolyard for bullies. But unlike the tormentors of the playground, cyberbullies are able to lurk in the shadows of anonymity on the Internet, and their cruelty doesn’t stop at the end of the school day. The harm they inflict on their victims can have devastating effects, and for some may lead to the most tragic of consequences, said Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, in a YouTube video. [Source] SEE ALSO: [BC – Hackers say they’ve found Amanda Todd’s tormentor]

Other Jurisdictions

PK – Law Must Balance Security with Individuals’ Rights

Responding to criticism over a new Pakistani counterterrorism law, Sen. Raza Rabbani has said the law “must not be used to put the fundamental rights of people at stake.” The Fair Trial Act allows the state to intercept private communications, including e-mails, SMSs, phone calls and audio-visual recordings, in order to arrest suspected terrorists. The law has been tabled in the National Assembly. “We must strike a balance between adopting modern techniques of investigations and the fundamental rights of the people,” said Barrister Zafarullah Khan. [The Express Tribune] SEE ALSO: [HK – Hong Kong’s watchdog for data privacy sees upsurge in complaints]

AU – Australia Attorney-General Consults on Australian Privacy Breach Notification

The Australian Attorney-General has issued a consultation on a nationwide mandatory breach notification scheme; the rationale for such a scheme includes mitigation of consequences of a breach, deterrence/incentive to improve data security, tracking of incidents and provision of information in the public interest, and maintaining community confidence in legislative privacy protections. Triggers for notification could include an appropriate test (e.g. a “catch-all” test or specific triggers based on volume of records breached or sensitivity of the records); notification could be decided by the organisation or agency, the Commissioner, or the organization in consultation with the Commissioner, and notification could be provided to the Commissioner and/or the affected persons and the police, financial institutions and CERT Australia. The issue of timely notification must be considered (e.g. before a particular deadline or as soon as possible); the content of the notification should be detailed (e.g. a description of the breach, types of information lost, and contact details). A scheme could apply only to those agencies regulated by the Privacy Act, or all entities, with a potential exemption for law enforcement agencies; penalty options include civil, criminal or administrative penalties or the capacity to “name and shame,” with consideration given to the circumstances in which they are applied. [Discussion Paper]

AU – Mandatory Notification Back on the Table

Australian Attorney General Nicola Roxon has published a discussion paper on whether the country needs a mandatory breach notification law that includes a poll for the public to weigh in on the issue. Privacy Commissioner Timothy Pilgrim renewed his calls for a law after a decrease in notifications in the last financial year. Pilgrim said “there is a strong case to have mandatory data breach notification laws in Australia” but cautioned against notification for minor breaches due to administrative burdens, notification fatigue and lack of utility, the report states. The attorney general is accepting comment until November 23. [The Australian Financial Review]

SA – Pending Privacy Bill Could Cost 35,000 Jobs, Observer Says

According to one critic, South Africa’s proposed Protection of Personal Information Act (PPI) could cause as many as 35,000 citizens to lose their jobs. The PPI is expected to limit unwanted telemarketing calls and spam, the report states. CareerCall’s Andy Quinan says the bill could affect the call-sector industry and stifle entrepreneurs who use telemarketing as a cost-effective marketing tool. Quinan has based his estimate on the 2008 C3Africa National BPO Survey. [ITWeb]

CO – Data Protection Law Becomes Effective

Colombia has enacted an omnibus data protection law, reports the Hunton & Williams Privacy and Information Security Law Blog. The law was enacted on October 17. It contains “significant notice and consent requirements, special provisions for the processing of children’s data, European-style data subject rights…and cross-border data transfer restrictions,” among other provisions. The law also calls for the establishment of a data protection authority. [Source]

UK – Insurance Group Asks for Veto

An insurance industry group has asked Ukraine’s president to veto a measure to amend the data protection law. The League of Insurance Organizations of Ukraine (LIOU) says the amendments “unreasonably extend the powers of the State Service of Ukraine on Personal Data Protection,” the report states. “We think the adoption of this law in such wording, despite numerous plus points, contains serious obstacles to entrepreneurship in Ukraine, creating a serious threat of the appearance of unreasonable additional financial and organizational expenses for businesses, as well as contradicting international standards regarding personal data protection, and the norms of the Ukrainian legislation,” the group stated in its letter. [KyivPost] SEE ALSO: [MX – Mexico Guidelines for Privacy Notice – Secretariat of Economy] and [AU – Office of the Australian Information Commissioner – Review of Counter-Terrorism Legislation] and [NZ – C v Holland – [2012] NZHC 2155 – High Court of New Zealand] and [RU – Recent Developments in Russian Personal Data Protection Regulation – Leonid Zubarev, Partner, and Anastasiya Lemysh, CMS Russia Client Alert]

Privacy (US)

US – California Issues App Developer Noncompliance Notice

California Attorney General Kamala Harris has reportedly sent out notices warning as many as 100 mobile app developers that they must conspicuously post privacy policies within the next 30 days to be in compliance with the California Online Privacy Protection Act. The new state protocol requires mobile applications that collect personal data within the state to post a privacy policy stating what data is collected and how it will be used. Harris said, “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.” [Bloomberg]

WW – Researchers Find Android Apps Pose Data Privacy Concerns

Researchers say that more than a quarter of apps for Androids available through the Google Play store appear to pose potential security risks to users. The researchers considered the apps to be questionable or suspicious if they had the capability to access personal information such as GPS data, phone calls and phone numbers. Users were led into allowing the apps to collect the data when they were installed; if users do not agree to the apps’ requests, the apps will not run on their devices. The practice appeared to be popular among games, entertainment, and wallpaper apps, despite the fact that those apps would seem to have little or no practical use for the information. The researchers state specifically that these apps are not considered malware, simply that they pose a privacy risk to users. [InformationWeek] [ComputerWorld]

WW – Study: Free Apps Present More Privacy Risks

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401% more likely to track location and 314% more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.” [Source] SEE ALSO: [JP – Five Arrested in Japan in Connection with Malware Hidden in Android Apps]

US – Rules Surrounding App Data Collection a “Gray Area”

The New York Times reports on the gray legal area surrounding mobile apps. The law has not kept pace with advances in technology, resulting in online businesses’ collection of large volumes of personal data. Meanwhile, users are often oblivious. “Generally, most people are simply unaware of what is going on,” said one expert. App developers’ data collection practices are loosely regulated in the U.S., the report states. California Attorney General Kamala Harris recently reached an agreement with six leading companies that they would only sell or distribute apps with privacy policies, the report states. Meanwhile, in Europe, revisions to the data protection regulation would require consumer consent before data collection on the web. [Source]

US – California AG Tells Mobile App Makers to Post Privacy Policies

California’s attorney general Kamala Harris has notified the makers of mobile applications that they will be held accountable for their handling of Californians’ personal data. The first round of notices was sent to the makers of 100 apps that do not have written privacy policies describing what data the app collects and shares. The companies have 30 days to post “conspicuous” privacy policies or face fines of up to US $2,500 each time a California resident downloads the app that does not have such a policy. Harris is extending the privacy requirements imposed on personal computers to smartphones and tablets. [Source]

CA – Privacy Commissioners Help Developers Create Privacy-Friendly Apps

Today’s app economy is like a new frontier marked by innovation, thousands of jobs and millions of consumers worldwide equipping themselves with useful, convenient, informative and entertaining tools. Like any new frontier though, this one has risks, including those to privacy. To help heighten personal information protection in the mobile era, the Privacy Commissioner of Canada, and the Information and Privacy Commissioners of Alberta and British Columbia today issued new guidance to help mobile app developers set themselves apart by making user privacy central in their design process. The guidance, shared with international data protection authorities and released upon the close of the 34th International Conference of Data Protection and Privacy Commissioner in Punta del Este, Uruguay, provides app developers with insights in the following areas:

  • Accountability under the law
  • Transparency
  • Collection
  • Gaining meaningful consent despite the “small screen” challenge
  • User notice and consent timing

The full guidance can be found on the web site of either: the Office of the Privacy Commissioner of Canada; the Office of the Information and Privacy Commissioner of Alberta; or the Office of the Information and Privacy Commissioner of British Columbia. [Canada Newswire]

US – Courts Widening View of Data Breach Damages, Lawyers Say

Federal courts are widening the definition of damages from data breaches. This “sea change” leaves unprepared companies at risk when it comes to class-action lawsuits, according to lawyers from the firm Pepper Hamilton. Until recently, courts would dismiss data breach lawsuits that couldn’t prove specific harm. But courts “are starting to pick up on the fact that the data that can get out there can cause serious harm, maybe not immediately but sometime in the near future,” lawyer Jeffrey Vagle said. A recent survey found the average settlement award for class-action data breach suits to be $2,500 per plaintiff. [CSO] SEE ALSO: [US: How should judge protect privacy of Colorado shooting victims?]

US – Court Allows Path Lawsuit to Move Forward

A judge has allowed a lawsuit against mobile app developer Path to proceed. The company has been urging the court to dismiss the suit, claiming users did not suffer economic harm, but U.S. District Court Judge Yvonne Gonzalez Rogers found that a user sufficiently alleged harm in the case. The company is accused of violating users’ privacy after it was discovered that users’ address books were uploaded without consent. A second class-action lawsuit against the company is pending in a federal court in Austin, Texas. [MediaPost]

US – FTC Finalizes Two Privacy Settlements

The FTC has finalized settlements with two companies for allegedly illegally exposing the sensitive personal information of thousands of consumers through the installation of peer-to-peer file-sharing software on computer systems. The settlements are with EPN, Inc., and Franklin Budget Car Sales, Inc., and will “bar misrepresentations about the privacy, security, confidentiality and integrity of any personal information collected from consumers,” the FTC press release states. The companies must also create and maintain comprehensive information security programs. [Source] SEE ALSO: [US – Facebook Amended Settlement and Release – U.S. District Court for The Northern District Of California]

US – State Tax Department Breach Incites Class-Action Lawsuit

Fallout from a breach at South Carolina’s state tax agency is affecting 3.6 million individuals’ Social Security numbers. A law firm has filed a class-action lawsuit against both the state’s governor and the Department of Revenue (DOR) alleging they failed “to protect the citizens of South Carolina” and violated the state’s breach disclosure laws. The governor said the fact that the information wasn’t encrypted isn’t an anomaly. “It’s not just that this was a DOR situation but an industry situation,” she said. The breach may be the “largest cyber-attack against a state tax department in the nation’s history.” [The Washington Post] SEE ALSO: [US – Lauren Chaikin et al. v. Lululemon USA Inc., Lululemon Atheltica Inc., and Does 1-50 – Class Action Complaint – Superior Court of California, County Of San Diego]

US – EFF Fights Energy Company’s Subpoenas

A privacy group is advocating against an energy company’s subpoena seeking information on dozens of e-mail accounts. Following a $19 billion judgment in favor of Ecuadorean aborigines and farmers against Chevron for an oil contamination, the company has filed subpoenas for information—including IP addresses and time stamps—about Yahoo and Google users, calling the verdict “extortionate fraud.” In response to the subpoenas, the Electronic Frontier Foundation has filed an amicus brief stating that the release of the information the company seeks would intrude on the privacy of the John Does involved, adding the court “should not permit Chevron’s unnecessary and unwarranted fishing expedition” without sufficient cause. [Courthouse News Service]

US – FTC Reaches Settlement with Analytics Company

The Federal Trade Commission (FTC) has reached a settlement with web analytics company Compete, Inc., for allegedly misrepresenting its data collection practices and failing to adequately secure collected data. The company has agreed to destroy data collected from users prior to February of 2010 and to undergo biennial audits for the next 20 years. According to the FTC, the company did not appropriately disclose “the full extent of data collected through tracking software,” and such a failure “was, and is, a deceptive act or practice.” Compete said, “We will continue to develop and uphold new standards for transparency and security.” [MediaPost]

US – Judge Dismisses Consumer Privacy Allegations

A federal judge has dismissed much of a class-action suit over a data breach at Sony’s Playstation Network in April 2011. The suit alleges hackers were able to access the gaming network because the company negligently “failed to provide adequate firewalls and safeguards” for users’ personally identifiable information. Sign-up for the games requires users to provide names, mailing addresses, e-mail addresses, birthdays and credit and debit card information, the report states. The suit alleges Sony should have known the system was vulnerable to an attack. A U.S. District Court judge has dismissed several of the suit’s claims, including violations of California consumer protection statutes. [Courthouse News Service] [US – In Re: Sony Gaming Networks and Customer Data Security Breach Litigation – 2012 U.S. Dist. LEXIS 146971 – U.S. District Court for the Southern District of California]

US – FPF Announces Privacy Papers for Policy Makers 2012

The Future of Privacy Forum (FPF) has announced this year’s selections for its Privacy Papers for Policy Makers. Of the more than 35 entries, eight were selected. The papers cover topics such as Privacy by Design, online behavioral advertising, mobile privacy, government surveillance, de-identification and social networking. FPF Founder and Co-chair Christopher Wolf said, “Improving privacy protection is vitally important in this technology age, so we are delighted to help build a bridge of communication between privacy scholars and privacy policy makers.” FPF Director and Co-chair Jules Polonetsky, said, “These writings offer some of the most compelling and innovative viewpoints that we hope policy makers consider as they look to address privacy issues.” [Source]

Privacy Enhancing Technologies (PETs)

US – Carnegie Mellon to Offer Masters in Privacy

Carnegie Mellon University has created a masters degree program in privacy. The one-year program will start in the 2013-14 academic year and aims to help prepare students for the increasing marketplace demand for privacy-savvy computer scientists and engineers. The program will include classroom instruction and a summer work experience project. CMU Professors Lorrie Cranor and Norman Sadeh created the program. [The Pittsburgh Post-Gazette]

CA – Privacy Commissioner Designates Route1 as Privacy by Design (PbD) Ambassador

Route 1 announced that the Office of the Information and Privacy Commissioner of Ontario has designated the Company as a Privacy by Design (PbD) Ambassador for its commitment to secure remote access and identity management, evidenced in the development and success of the MobiKEY. A security and identity management company, Route1 customers include both government and military organizations in the U.S. and Canada, as well as private sector businesses such as law firms, healthcare facilities and financial institutions. MobiKEY provides multi-factor authentication to ensure the identity of an individual attempting to remotely access data, which integrates privacy protocols for both the user and the institution. [Mediacaster Magazine] SEE ALSO: [US – Symantec Corporation : Norton Hotspot Privacy Keeps Consumers Safe on Public Wi-Fi]


US – Cyber Liability Insurance Awareness Is Growing

A survey reveals that 60% of businesses do not have cyber liability insurance, but according to one expert, companies are becoming more aware of it. The Advisen survey report states that 52% of businesses not currently covered have no plans to gain the insurance in the next year. Pinsent Masons’ Ian Birdsey said, “When you consider the frequency, severity and exposure of security and data breaches,” it’s “surprising” that 52% are not considering the insurance. Birdsey noted that “the test remains whether advocates for data risks or cyber liability insurance cover at general counsel or chief privacy officer level can persuade their management teams to allocate budget to buy cover in the next financial year.” [OUT-LAW] [The Advisen survey report] SEE ALSO: [US – Cyber Risks: An Insurance Perspective – Jillian Raw, Kennedys LLP] AND [EU – ENISA, Annual Incident Reports 2011] AND [EU – Lifecycle Data Protection Management – Alexander Alvaro, Vice-President of the European Parliament: the concept of lifecycle data protection management (“lifecycle DPM”) is proposed in addition to the framework contained in the EU data protection regulation proposal] AND [AU – Information Security Manual 2012: Executive Companion – Department of Defence, Australian Government] AND [CA – Feds earmark $155M over five years to fight cyber threats]

Smart Cards

US – Supervisor Calls for Public Transit Card Privacy

A San Francisco supervisor is calling for stricter privacy controls surrounding “Clipper cards” used to pay for public transportation. Supervisor Jon Avalos has introduced a resolution to ensure that “people who are using Clipper cards can actually be protected against any use of information about where they go and what their whereabouts are.” The cards do not contain personal information, according to a Metropolitan Transportation Commission spokesman, but do contain travel logs on a passenger’s past 10 trips. The agency is required by state law to provide travel information when subpoenaed, the spokesman said. [The San Francisco Examiner]

HK – Privacy Watchdog Slams Excessive Use Of Data on Customer Loyalty Scheme

Customers’ privacy may have been violated under the customer loyalty schemes, the Privacy Commissioner for Personal Data Allan Chiang said in four investigation reports. The three scheme, including the “Fun Fun Card” program 1 by China Resources Vanguard Company Limited, the “Mann Card Program” by The Dairy Farm Company Limited, and the “MoneyBack Program” by A.S. Watson Group (HK) Limited through PARKnSHOP and Watsons. The commissioner particularly slammed Watson Group, directing it to stop collections of customers’ ID numbers, erase completely the ID number of applicants and other data collected. “Ill-defined” purposes much also be removed. “After the Octopus incident in 2010, public awareness of the collection and use of personal data in direct marketing activities has significantly raised. I expect that corporations in Hong Kong should have learnt a lesson and paid more attention to data privacy regulations,” Chiang said. According to the report, the operators had collected the applicants’ Hong Kong Identity Card or passport number, complete or partial number, for the purpose of providing them with a default log-in password for using the program’s online service. This amounted to unnecessary and excessive collection. In particular, the program operators have either not defined or ill-defined the purpose of use of the data and class of data. [The Standard Hong Kong]


UK – Group Warns of Public Transit Privacy Concerns

Privacy International is warning that public transportation companies voluntarily share personal information about travelers with law enforcement agencies. “Every single authority and company we have spoken to so far has shocking practices,” said a spokesman from Privacy International, which has polled 48 transport authorities and companies globally to ask how they handle personal information stored on public transportation cards. “The problem with smart cards is that they record a very fine grain of information,” the spokesman added, in some cases including bank details, e-mails, passwords and telephone numbers. While court orders are required in some countries, that is not the case for others. [IDG News Service]

US – Judge: DEA’s Warrantless Surveillance Did Not Violate Law

A U.S. District Court ruling that, in some circumstances, police are allowed to install hidden surveillance cameras on private property without a warrant. U.S. District Court Judge William Griesbach has ruled Drug Enforcement Administration (DEA) agents had reason to “enter rural property without permission—and without a warrant” to install surveillance cameras to investigate suspected criminal drug activity. Griesbach’s ruling upheld a recommendation by U.S. Magistrate Judge William Callahan stating the DEA did not violate the law as “The Supreme Court has upheld the use of technology as a substitute for ordinary police surveillance.” [CNET News]

US – Calif. Privacy Groups Oppose Cellphone Surveillance Device

FBI investigators used a court order authorizing access to cellphone customer data to quietly deploy a powerful surveillance technology known as “stingrays,” privacy groups contend in a new court filing that claims the devices are overly invasive. Your cellphone can be singled out by its international mobile subscriber identity, or IMSI, which then makes it possible to secretly determine your whereabouts using stingray devices, also known as IMSI catchers. The law enforcement tool troubles security experts and civil libertarians alike because it mimics cellphone towers. Stingrays track the locations of mobile devices, including those that are not targeted but are nearby. IMSI catchers can also be adjusted to capture the content of communications, although the government claims that was not done in this case. An expert in 2010 showed spectators at a technology conference in Las Vegas that IMSI catchers could be built at home for as little as $1,500, exposing a potential weakness in cellphone security. Thirty cellphones in the room reportedly attempted to connect to his do-it-yourself tower, and anyone in the room who made a call while connected to it received an automated message that said their communications were being recorded. The government’s pursuit of an alleged tax fraudster that began in Northern California and is now playing out in an Arizona courtroom has become the first major constitutional challenge to stingrays. Law enforcement agencies using the technology have held it close to the chest, and the public has little knowledge of it. In an Oct. 19 friend-of-the-court brief filed with the U.S. District Court of Arizona, the Electronic Frontier Foundation in San Francisco and the ACLU of Northern California argued that stingrays are “highly intrusive and indiscriminate,” and claimed government investigators sought to utilize them while providing Judge Richard Seeborg with scant details about the technology’s extraordinary power. [The Tribune]

UK – Draft Communications Bill: Powers May Uncover ‘Wrong Targets’

Plans to monitor all Britons’ online activity risk uncovering “incompetent criminals and accidental anarchists” rather than serious offenders, the information commissioner has warned. Ministers want to strengthen the law on internet data retention to help the police tackle security threats. Christopher Graham said the “really scary people” could simply avoid detection by changing their behaviour. Under the government’s plans, currently being scrutinised by Parliament, service providers will have to store details of internet use in the UK for a year to allow police and intelligence services to access it. Records will include people’s activity on social network sites, webmail, internet phone calls and online gaming. Ministers argue law enforcement agencies need to keep pace with the changing technology used by offenders but critics have called the proposals a “snooper’s charter”. [BBC]

WW – New Memoto Camera Captures ‘Every Single Moment Of Your Life’

Do you wish you had photos of “every single moment of your life” so you could “revisit any moment of your past”? Like the time you walked in on your roommates having sex, or the look of disappointment on your girlfriend’s face when you forgot her birthday? Then Memoto’s new wearable camera, about half the size of a matchbox, may be for you. The Memoto camera is constantly on while you wear it (clipped to a shirt or hung on a necklace), and you can use it rain or shine as it’s weather-protected. It’s got a GPS that geotags each photo, and a battery that is said to last between one and two days, that’s recharged when connected to your computer. Dubbed a “lifelogging” camera—referring to the process of computer-assisted recording to capture large portions of your life—the creators say the name Memoto is associated with the words “memory motor.” Founded by six Swedish entrepreneurs and posted on crowd-funding website Kickstarter, the product exceeded its $50,000 funding goal in only five hours. It takes photos every 30 seconds, and synchronizes with apps to work as a photographic memory – a digital timeline of your life. “The website talks about lifelogging as capturing your life, but what you’re really capturing is the life of everyone else around you… sometimes without their awareness,” said Dr. Bita Amani, an associate professor of law at Queen’s University who teaches a course on information privacy. Amani says Memoto raises three kinds of privacy issues: those related to the original recording (photographs), the subsequent publication (i.e. on Facebook), and cloud storage. She also notes that any kind of recording may become subject to a use other than what was originally intended. [Global News]

Telecom / TV

US – EFF, ACLU Take on Data Collection Practices

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) are challenging the data-collection activities of Verizon Wireless. The advocacy groups say Verizon violates the federal Wiretap Act when it collects data on customers’ app usage, locations and web browsing and sells it to advertisers. Verizon says its actions are legal because it notifies customers of its practices and allows them to opt out, and the data cannot be tied to an accountholder. The groups claim, however, that the act of collection is the violation. “What you do after the fact is certainly important, but the violation of the Wiretap Act has already occurred,” said EFF lawyer Hanni Fakhoury. [PC World] [US: Verizon draws fire for monitoring app usage, browsing habits]

WW – Study: Free Apps Present More Privacy Risks

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401 percent more likely to track location and 314 percent more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.” Among the findings:

  • 24% of free apps have permission to track location vs only 6% of paid apps.
  • 7% of free apps have permission to access to your address book vs 2% of paid apps.
  • 2.6% of free apps have permission to silently send text messages vs 1.5% of paid apps.
  • 6% of free apps have permission to clandestinely initiate calls in the background vs 2% of paid apps.
  • 5.5% of free apps have permission to access the device camera vs 2% of paid apps. [San Jose Business Journal]

US Government Programs

US – Privacy and Civil Liberties Oversight Board to Hold First Public Meeting

The Privacy and Civil Liberties Oversight Board will hold its first public meeting this month, according to a notice in the Federal Register. The board, which aims to provide privacy oversight on U.S. surveillance and security measures in the fight against terrorism, had remained dormant since 2007, inciting widespread criticism. President Barack Obama appointed new members to the board in 2011, and the Senate confirmed four of five nominees earlier this year. The aim of next Tuesday’s meeting is to gather feedback from nongovernmental organizations and members of the public on priorities the board should consider on its forthcoming agenda. The public portion of the meeting will take place from 10 a.m. to noon on October 30 in Washington, DC. [Federal Register]

US – FTC Working on Data Collection Nutrition Label

The Federal Trade Commission (FTC) is working on a nutrition label for data collection. FTC Chairman Jon Leibowitz says the label would act as a “disclosure mechanism that websites can customize to succinctly tell consumers what kind of data they are collecting and how they are using it.” The news follows calls from academics and advocates for companies to create privacy policies that are accessible and easy-to-read and understand for the average consumer. [Law360]

US Legislation

US – FTC’s Proposed COPPA Changes Could Face Legal Challenge

A potential legal backlash may occur against the FTC if it pursues proposed changes to the Children’s Online Privacy Protection Act. At a recent forum, TechFreedom President Berin Szoka and others cited specific issues with the proposed changes, including expanding the definition of personally identifiable information to cover persistent identifiers, a move they believe could hamper website functionality and innovation, the report states. Szoka said, “The FTC should take the time next year, probably hold a workshop and discuss these things and issue a revised rule,” adding, “If they don’t, they will be sued.” [NationalJournal] see also: [No “Do Overs”: Children, Personal Information And Marketing In Canada]

US – Rep. Barton: “We Need Stronger Privacy Laws”

In a blog post, Rep. Joe Barton (R-TX) calls for tougher online privacy legislation. “If our forefathers knew what the Internet and modern technology would be like today,” Barton writes, “they would have put a right to privacy explicitly in the Constitution.” Barton contends that parts of the online industry are listening, “while others remain tone-deaf,” particularly in relation to Do Not Track. Barton writes that some are “putting profits over privacy” and describes the Do Not Track Kids Act as “common-sense legislation.” Meanwhile, the Center for Digital Democracy and Commonsense Media have launched an online petition aimed at persuading the FTC to “stay the course” on proposed changes to COPPA. [Source]

US – Lawmakers Call for Improved Medicare ID Theft Prevention

Reps. Wally Herger (R-CA) and Sam Johnson (R-TX) are calling on the Department of Health and Human Services (HHS) to remove users’ Social Security numbers from Medicare cards. Citing a recent report that found flaws in the way the HHS responds to Medicare identity theft, Johnson said, “This report is a wakeup call for (the Medicare agency) to heed the advice of its own inspector general and take immediate action to develop a new system for protecting seniors from medical identity theft.” [The Hill]

US – FTC’s Ohlhausen Skeptical of New Privacy Legislation

The FTC’s Maureen Ohlhausen has voiced concerns that calls for new privacy legislation could undermine the FTC’s other task of promoting competition. Ohlhausen said, “Before seeking new privacy legislation, I think it is important to identify a gap in statutory authority or to identify a case of substantial consumer harm that we would like to address but can’t within our existing authority.” Ohlhausen noted the many benefits of information sharing for consumers, adding, “that’s why I am concerned about treating privacy solely as a consumer protection issue. It also must be viewed through the competition lens if you want to reach the best outcome for consumers.” [National Journal]

US – NJ Senate Passes Applicant Privacy Bill

New Jersey’s Senate has passed a law to prevent employers from requiring applicants to provide access to private accounts. The Assembly passed a similar bill in June. “There are plenty of other steps in a job application process for employers to gain a profound understanding of an applicant’s experience, fitness and personality,” said Republican State Sen. Kevin O’Toole, adding, “Applicants should not have to choose between preserving their due privacies and earning incomes.” The bill also bans “associated discrimination or retaliation” and allows applicants to sue for damages in the event of violations, according to the report. [NJTODAY.NET]

Workplace Privacy

CA – Supreme Court Confirms Privacy Survives in the Workplace

Many employers seek to remove any reasonable expectation of privacy by telling employees that they should not expect any privacy when using workplace computers during company time. Earlier this month, the Supreme Court of Canada grappled with the question of workplace privacy and arrived a somewhat different conclusion. Michael Geist’s technology law column (Toronto Star version, homepage version) notes it ruled that the workplace environment may diminish an employee’s reasonable expectation of privacy, but it does not remove the expectation altogether. The case involved a criminal action against a high school teacher, who was provided with school-issued laptop computer that could be used for incidental personal purposes. A computer technician at the school discovered nude photographs of a female student while performing routine maintenance on the machine. The school copied the images and turned over the computer and the images to police, who later charged the man with possession of child pornography and unauthorized use of a computer. The legal issue in the case turned on whether the police conducted a warrantless search of the computer in violation of the Canadian Charter of Rights and Freedoms, which guards against unreasonable search and seizure. To answer that question, the Court assessed whether the employee had a reasonable expectation of privacy, which they ruled depends upon the “totality of the circumstances”. Given competing interests, the Court ruled that the reduced privacy interest was not eliminated in its entirety. It therefore ordered that the teacher face a new trial. [Source] [CA — Privacy in Workplace Computers: Employers Can Manage Employee Expectations of Privacy – Earl G. Phillips, Partner, McCarthy Tetrault LLP]

CA – Supreme Court: Employees Have Computer Privacy Rights

The Supreme Court of Canada has ruled that employees have some privacy rights over workplace computers and that computers should not be searched by law enforcement without a warrant. In the 6-1 ruling, the court wrote, “Computers that are reasonably used for personal purposes—whether found in the workplace or the home—contain information that is meaningful, intimate and touching on the user’s biographical core.” The author of the ruling, Justice Morris Fish, added, “Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected.” [Toronto Star] SEE ALSO: [OIPC AB – Order F2012-23 – Alberta Corporate Human Resources re: collect an employee’s personal information (“PI”) for its operating activities] AND [Datatilsynet, Norway – “A Normal Day at Work”: Workplace Electronic Tracking] AND [FR – Companies, Other Than Those from the Banking and Financial Sectors, Now Allowed to Implement Background Screening Processing for the Detection and Prevention of Corruption – Denise Lebeau-Marianna and Idriss Kechida, Baker & McKenzie] AND [AB: Court injunction granted to prevent random drug testing]



01-15 October 2012



CA – Authorities to Cooperate on Cross-Border Digital Privacy

The German and Canadian data protection authorities have signed an agreement on protecting privacy in cross-border data transfers via the web. The countries will cooperate on specific cases and inform each other on privacy complaints. “Since personal data can be transferred to other countries and parts of the world with one mouse click, data protection agencies have to cooperate better internationally,” Canada’s Office of the Privacy Commissioner noted. Germany and Canada plan to discuss extending the plan to additional countries at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay later this month, the report states. [IDG News Service]

CA – Stoddart’s Annual Report Raises Surveillance, Disposal Concerns

A proposal set forth by the Royal Canadian Mounted Police and House of Commons to more than double the number of video cameras on Parliament Hill has raised concerns from federal Privacy Commissioner Jennifer Stoddart. “We were concerned about the scope of the project and its potential impact on the privacy rights of parliamentarians, parliamentary staff, guests and visitors to Parliament Hill,” Stoddart’s annual report states. “According to the preliminary (privacy impact assessment), a deliberate decision was made to not post signs notifying individuals of video surveillance on Parliament Hill.” Meanwhile, Stoddart’s report has also raised concerns about the way Veterans Affairs disposes of documents containing sensitive personal information. [The Canadian Press]

CA – OPC Receives Formal Complaint Over Gov’t Questionnaire

The Office of the Privacy Commissioner (OPC) has received a formal complaint about a controversial qu